{
  "statistics": {
    "processing": [
      {
        "name": "CAPE",
        "time": 6.721
      },
      {
        "name": "AnalysisInfo",
        "time": 0.015
      },
      {
        "name": "BehaviorAnalysis",
        "time": 0.97
      },
      {
        "name": "Debug",
        "time": 0.002
      },
      {
        "name": "NetworkAnalysis",
        "time": 1.059
      },
      {
        "name": "Suricata",
        "time": 8.082
      },
      {
        "name": "UrlAnalysis",
        "time": 0.0
      },
      {
        "name": "script_log_processing",
        "time": 0.0
      },
      {
        "name": "ProcessMemory",
        "time": 0.0
      }
    ],
    "signatures": [
      {
        "name": "packer_themida",
        "time": 0.0
      },
      {
        "name": "stealth_network",
        "time": 0.0
      },
      {
        "name": "disable_driver_via_blocklist",
        "time": 0.0
      },
      {
        "name": "disable_driver_via_hvcidisallowedimages",
        "time": 0.0
      },
      {
        "name": "disable_hypervisor_protected_code_integrity",
        "time": 0.0
      },
      {
        "name": "pendingfilerenameoperations_Operations",
        "time": 0.0
      },
      {
        "name": "anomalous_deletefile",
        "time": 0.0
      },
      {
        "name": "antiav_360_libs",
        "time": 0.0
      },
      {
        "name": "antiav_ahnlab_libs",
        "time": 0.0
      },
      {
        "name": "antiav_avast_libs",
        "time": 0.0
      },
      {
        "name": "antiav_bitdefender_libs",
        "time": 0.0
      },
      {
        "name": "antiav_bullguard_libs",
        "time": 0.0
      },
      {
        "name": "antiav_emsisoft_libs",
        "time": 0.0
      },
      {
        "name": "antiav_qurb_libs",
        "time": 0.0
      },
      {
        "name": "antiav_servicestop",
        "time": 0.0
      },
      {
        "name": "antiav_apioverride_libs",
        "time": 0.0
      },
      {
        "name": "antidebug_guardpages",
        "time": 0.0
      },
      {
        "name": "antidebug_ntcreatethreadex",
        "time": 0.0
      },
      {
        "name": "antiav_nthookengine_libs",
        "time": 0.0
      },
      {
        "name": "antidebug_outputdebugstring",
        "time": 0.0
      },
      {
        "name": "antidebug_setunhandledexceptionfilter",
        "time": 0.0
      },
      {
        "name": "antidebug_windows",
        "time": 0.0
      },
      {
        "name": "antisandbox_cuckoo",
        "time": 0.0
      },
      {
        "name": "antisandbox_cuckoocrash",
        "time": 0.0
      },
      {
        "name": "antisandbox_foregroundwindows",
        "time": 0.0
      },
      {
        "name": "mouse_movement_detect",
        "time": 0.0
      },
      {
        "name": "antisandbox_sboxie_libs",
        "time": 0.0
      },
      {
        "name": "antisandbox_sboxie_objects",
        "time": 0.0
      },
      {
        "name": "antisandbox_script_timer",
        "time": 0.0
      },
      {
        "name": "antisandbox_sleep",
        "time": 0.0
      },
      {
        "name": "antisandbox_sunbelt_libs",
        "time": 0.0
      },
      {
        "name": "antisandbox_unhook",
        "time": 0.0
      },
      {
        "name": "antivm_directory_objects",
        "time": 0.0
      },
      {
        "name": "antivm_display",
        "time": 0.0
      },
      {
        "name": "antivm_generic_disk",
        "time": 0.0
      },
      {
        "name": "antivm_generic_scsi",
        "time": 0.0
      },
      {
        "name": "antivm_generic_services",
        "time": 0.0
      },
      {
        "name": "antivm_generic_system",
        "time": 0.0
      },
      {
        "name": "antivm_checks_available_memory",
        "time": 0.0
      },
      {
        "name": "detect_virtualization_via_recent_files",
        "time": 0.0
      },
      {
        "name": "antivm_vbox_libs",
        "time": 0.0
      },
      {
        "name": "antivm_vbox_window",
        "time": 0.0
      },
      {
        "name": "antivm_vmware_events",
        "time": 0.0
      },
      {
        "name": "antivm_vmware_libs",
        "time": 0.0
      },
      {
        "name": "antivm_wmi",
        "time": 0.0
      },
      {
        "name": "api_spamming",
        "time": 0.0
      },
      {
        "name": "api_uuidfromstringa",
        "time": 0.0
      },
      {
        "name": "bcdedit_command",
        "time": 0.0
      },
      {
        "name": "bootkit",
        "time": 0.0
      },
      {
        "name": "direct_hdd_access",
        "time": 0.0
      },
      {
        "name": "physical_drive_access",
        "time": 0.0
      },
      {
        "name": "potential_overwrite_mbr",
        "time": 0.0
      },
      {
        "name": "read_file_raw_disk_access",
        "time": 0.0
      },
      {
        "name": "suspicious_iocontrol_codes",
        "time": 0.0
      },
      {
        "name": "browser_needed",
        "time": 0.0
      },
      {
        "name": "firefox_disables_process_tab",
        "time": 0.0
      },
      {
        "name": "regsvr32_squiblydoo_dll_load",
        "time": 0.0
      },
      {
        "name": "uac_bypass_cmstp",
        "time": 0.0
      },
      {
        "name": "uac_bypass_eventvwr",
        "time": 0.0
      },
      {
        "name": "uac_bypass_windows_Backup",
        "time": 0.0
      },
      {
        "name": "dotnet_code_compile",
        "time": 0.0
      },
      {
        "name": "queries_computer_name",
        "time": 0.0
      },
      {
        "name": "queries_user_name",
        "time": 0.0
      },
      {
        "name": "creates_largekey",
        "time": 0.0
      },
      {
        "name": "creates_nullvalue",
        "time": 0.0
      },
      {
        "name": "access_windows_passwords_vault",
        "time": 0.0
      },
      {
        "name": "dump_lsa_via_windows_error_reporting",
        "time": 0.0
      },
      {
        "name": "lsass_credential_dumping",
        "time": 0.0
      },
      {
        "name": "critical_process",
        "time": 0.0
      },
      {
        "name": "cryptopool_domains",
        "time": 0.0
      },
      {
        "name": "dead_connect",
        "time": 0.0
      },
      {
        "name": "dead_link",
        "time": 0.0
      },
      {
        "name": "decoy_document",
        "time": 0.0
      },
      {
        "name": "decoy_image",
        "time": 0.0
      },
      {
        "name": "deletes_consolehost_history",
        "time": 0.0
      },
      {
        "name": "deletes_shadow_copies",
        "time": 0.0
      },
      {
        "name": "deletes_system_state_backup",
        "time": 0.0
      },
      {
        "name": "dep_bypass",
        "time": 0.0
      },
      {
        "name": "dep_disable",
        "time": 0.0
      },
      {
        "name": "disables_mappeddrives_autodisconnect",
        "time": 0.0
      },
      {
        "name": "disables_spdy",
        "time": 0.0
      },
      {
        "name": "disables_wfp",
        "time": 0.0
      },
      {
        "name": "add_windows_defender_exclusions",
        "time": 0.0
      },
      {
        "name": "mountpoints_volume_discovery",
        "time": 0.0
      },
      {
        "name": "dll_load_uncommon_file_types",
        "time": 0.0
      },
      {
        "name": "document_script_exe_drop",
        "time": 0.0
      },
      {
        "name": "guloader_apis",
        "time": 0.0
      },
      {
        "name": "driver_load",
        "time": 0.0
      },
      {
        "name": "dynamic_function_loading",
        "time": 0.0
      },
      {
        "name": "encrypted_ioc",
        "time": 0.0
      },
      {
        "name": "exec_crash",
        "time": 0.0
      },
      {
        "name": "process_creation_suspicious_location",
        "time": 0.0
      },
      {
        "name": "exploit_getbasekerneladdress",
        "time": 0.0
      },
      {
        "name": "exploit_gethaldispatchtable",
        "time": 0.0
      },
      {
        "name": "exploit_heapspray",
        "time": 0.0
      },
      {
        "name": "koadic_apis",
        "time": 0.0
      },
      {
        "name": "koadic_network_activity",
        "time": 0.0
      },
      {
        "name": "downloads_from_filehosting",
        "time": 0.0
      },
      {
        "name": "generic_phish",
        "time": 0.0
      },
      {
        "name": "http_request",
        "time": 0.0
      },
      {
        "name": "infostealer_browser",
        "time": 0.0
      },
      {
        "name": "infostealer_browser_password",
        "time": 0.0
      },
      {
        "name": "infostealer_cookies",
        "time": 0.0
      },
      {
        "name": "cryptbot_network",
        "time": 0.0
      },
      {
        "name": "masslogger_artifacts",
        "time": 0.0
      },
      {
        "name": "masslogger_version",
        "time": 0.0
      },
      {
        "name": "purplewave_network_activity",
        "time": 0.0
      },
      {
        "name": "quilclipper_behavior",
        "time": 0.0
      },
      {
        "name": "raccoon_behavior",
        "time": 0.0
      },
      {
        "name": "captures_screenshot",
        "time": 0.0
      },
      {
        "name": "vidar_behavior",
        "time": 0.0
      },
      {
        "name": "injection_createremotethread",
        "time": 0.0
      },
      {
        "name": "creates_suspended_process",
        "time": 0.0
      },
      {
        "name": "injection_explorer",
        "time": 0.0
      },
      {
        "name": "injection_needextension",
        "time": 0.0
      },
      {
        "name": "injection_network_traffic",
        "time": 0.0
      },
      {
        "name": "injection_runpe",
        "time": 0.0
      },
      {
        "name": "injection_rwx",
        "time": 0.0
      },
      {
        "name": "injection_themeinitapihook",
        "time": 0.0
      },
      {
        "name": "resumethread_remote_process",
        "time": 0.0
      },
      {
        "name": "injection_write_exe_process",
        "time": 0.0
      },
      {
        "name": "injection_write_process",
        "time": 0.0
      },
      {
        "name": "internet_dropper",
        "time": 0.0
      },
      {
        "name": "escalate_privilege_via_named_pipe",
        "time": 0.0
      },
      {
        "name": "ipc_namedpipe",
        "time": 0.0
      },
      {
        "name": "js_phish",
        "time": 0.0
      },
      {
        "name": "js_suspicious_redirect",
        "time": 0.0
      },
      {
        "name": "loader_alien",
        "time": 0.0
      },
      {
        "name": "execute_binary_via_internet_explorer_exporter",
        "time": 0.0
      },
      {
        "name": "execute_binary_via_run_exe_helper_utility",
        "time": 0.0
      },
      {
        "name": "execute_ps_via_syncappvpublishingserver",
        "time": 0.0
      },
      {
        "name": "malicious_dynamic_function_loading",
        "time": 0.0
      },
      {
        "name": "encrypt_pcinfo",
        "time": 0.0
      },
      {
        "name": "encrypt_data_agenttesla_http",
        "time": 0.0
      },
      {
        "name": "encrypt_data_agentteslat2_http",
        "time": 0.0
      },
      {
        "name": "encrypt_data_nanocore",
        "time": 0.0
      },
      {
        "name": "reads_memory_remote_process",
        "time": 0.0
      },
      {
        "name": "mimics_filetime",
        "time": 0.0
      },
      {
        "name": "amsi_bypass_via_com_registry",
        "time": 0.0
      },
      {
        "name": "access_auto_logons_via_registry",
        "time": 0.0
      },
      {
        "name": "access_boot_key_via_registry",
        "time": 0.0
      },
      {
        "name": "create_suspicious_lnk_files",
        "time": 0.0
      },
      {
        "name": "credential_access_via_windows_credential_history",
        "time": 0.0
      },
      {
        "name": "dll_hijacking_via_microsoft_exchange",
        "time": 0.0
      },
      {
        "name": "dll_hijacking_via_waas_medic_svc_com_typelib",
        "time": 0.0
      },
      {
        "name": "execute_file_downloaded_via_openssh",
        "time": 0.0
      },
      {
        "name": "execute_safe_mode_from_suspicious_process",
        "time": 0.0
      },
      {
        "name": "execute_scripts_via_microsoft_management_console",
        "time": 0.0
      },
      {
        "name": "execute_suspicious_processes_via_windows_mssql_service",
        "time": 0.0
      },
      {
        "name": "execution_from_self_extracting_archive",
        "time": 0.0
      },
      {
        "name": "ip_address_discovery_via_trusted_program",
        "time": 0.0
      },
      {
        "name": "load_dll_via_control_panel",
        "time": 0.0
      },
      {
        "name": "network_connection_via_suspicious_process",
        "time": 0.0
      },
      {
        "name": "potential_location_discovery_via_unusual_process",
        "time": 0.0
      },
      {
        "name": "store_executable_registry",
        "time": 0.0
      },
      {
        "name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent",
        "time": 0.0
      },
      {
        "name": "suspicious_java_execution_via_win_scripts",
        "time": 0.0
      },
      {
        "name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File",
        "time": 0.0
      },
      {
        "name": "uses_restart_manager_for_suspicious_activities",
        "time": 0.0
      },
      {
        "name": "modify_desktop_wallpaper",
        "time": 0.0
      },
      {
        "name": "modify_zoneid_ads",
        "time": 0.0
      },
      {
        "name": "move_file_on_reboot",
        "time": 0.0
      },
      {
        "name": "multiple_useragents",
        "time": 0.0
      },
      {
        "name": "network_anomaly",
        "time": 0.0
      },
      {
        "name": "network_bind",
        "time": 0.0
      },
      {
        "name": "network_cnc_https_archive",
        "time": 0.0
      },
      {
        "name": "network_cnc_https_free_webhosting",
        "time": 0.0
      },
      {
        "name": "network_cnc_https_generic",
        "time": 0.0
      },
      {
        "name": "network_cnc_https_interactsh",
        "time": 0.0
      },
      {
        "name": "network_cnc_https_opensource",
        "time": 0.0
      },
      {
        "name": "network_cnc_https_pastesite",
        "time": 0.0
      },
      {
        "name": "network_cnc_https_payload",
        "time": 0.0
      },
      {
        "name": "network_cnc_https_serviceinterface",
        "time": 0.0
      },
      {
        "name": "network_cnc_https_socialmedia",
        "time": 0.0
      },
      {
        "name": "network_cnc_https_telegram",
        "time": 0.0
      },
      {
        "name": "network_cnc_https_tempstorage",
        "time": 0.0
      },
      {
        "name": "network_cnc_https_temp_urldns",
        "time": 0.0
      },
      {
        "name": "network_cnc_https_urlshortener",
        "time": 0.0
      },
      {
        "name": "network_cnc_https_useragent",
        "time": 0.0
      },
      {
        "name": "network_cnc_smtps_exfil",
        "time": 0.0
      },
      {
        "name": "network_cnc_smtps_generic",
        "time": 0.0
      },
      {
        "name": "network_dns_idn",
        "time": 0.0
      },
      {
        "name": "network_dns_suspicious_querytype",
        "time": 0.0
      },
      {
        "name": "network_dns_tunneling_request",
        "time": 0.0
      },
      {
        "name": "network_document_http",
        "time": 0.0
      },
      {
        "name": "explorer_http",
        "time": 0.0
      },
      {
        "name": "network_fake_useragent",
        "time": 0.0
      },
      {
        "name": "legitimate_domain_abuse",
        "time": 0.0
      },
      {
        "name": "suspicious_communication_trusted_site",
        "time": 0.0
      },
      {
        "name": "network_tor",
        "time": 0.0
      },
      {
        "name": "office_com_load",
        "time": 0.0
      },
      {
        "name": "office_dotnet_load",
        "time": 0.0
      },
      {
        "name": "office_mshtml_load",
        "time": 0.0
      },
      {
        "name": "office_vb_load",
        "time": 0.0
      },
      {
        "name": "office_wmi_load",
        "time": 0.0
      },
      {
        "name": "office_cve2017_11882",
        "time": 0.0
      },
      {
        "name": "office_cve2017_11882_network",
        "time": 0.0
      },
      {
        "name": "office_cve_2021_40444",
        "time": 0.0
      },
      {
        "name": "office_cve_2021_40444_m2",
        "time": 0.0
      },
      {
        "name": "office_flash_load",
        "time": 0.0
      },
      {
        "name": "office_postscript",
        "time": 0.0
      },
      {
        "name": "office_suspicious_processes",
        "time": 0.0
      },
      {
        "name": "office_write_exe",
        "time": 0.0
      },
      {
        "name": "persistence_via_autodial_dll_registry",
        "time": 0.0
      },
      {
        "name": "persistence_autorun",
        "time": 0.0
      },
      {
        "name": "persistence_autorun_tasks",
        "time": 0.0
      },
      {
        "name": "persistence_bootexecute",
        "time": 0.0
      },
      {
        "name": "persistence_registry_script",
        "time": 0.0
      },
      {
        "name": "powershell_network_connection",
        "time": 0.0
      },
      {
        "name": "powershell_download",
        "time": 0.0
      },
      {
        "name": "powershell_request",
        "time": 0.0
      },
      {
        "name": "createtoolhelp32snapshot_module_enumeration",
        "time": 0.0
      },
      {
        "name": "enumerates_running_processes",
        "time": 0.0
      },
      {
        "name": "process_interest",
        "time": 0.0
      },
      {
        "name": "process_needed",
        "time": 0.0
      },
      {
        "name": "mass_data_encryption",
        "time": 0.0
      },
      {
        "name": "ransomware_file_modifications",
        "time": 0.0
      },
      {
        "name": "ransomware_message",
        "time": 0.0
      },
      {
        "name": "nemty_network_activity",
        "time": 0.0
      },
      {
        "name": "nemty_note",
        "time": 0.0
      },
      {
        "name": "sodinokibi_behavior",
        "time": 0.0
      },
      {
        "name": "stop_ransomware_registry",
        "time": 0.0
      },
      {
        "name": "blackrat_apis",
        "time": 0.0
      },
      {
        "name": "blackrat_network_activity",
        "time": 0.0
      },
      {
        "name": "blackrat_registry_keys",
        "time": 0.0
      },
      {
        "name": "dcrat_behavior",
        "time": 0.0
      },
      {
        "name": "karagany_system_event_objects",
        "time": 0.0
      },
      {
        "name": "rat_luminosity",
        "time": 0.0
      },
      {
        "name": "rat_nanocore",
        "time": 0.0
      },
      {
        "name": "netwire_behavior",
        "time": 0.0
      },
      {
        "name": "obliquerat_network_activity",
        "time": 0.0
      },
      {
        "name": "orcusrat_behavior",
        "time": 0.0
      },
      {
        "name": "trochilusrat_apis",
        "time": 0.0
      },
      {
        "name": "reads_self",
        "time": 0.0
      },
      {
        "name": "recon_beacon",
        "time": 0.0
      },
      {
        "name": "recon_programs",
        "time": 0.0
      },
      {
        "name": "recon_systeminfo",
        "time": 0.0
      },
      {
        "name": "accesses_recyclebin",
        "time": 0.0
      },
      {
        "name": "remcos_shell_code_dynamic_wrapper_x",
        "time": 0.0
      },
      {
        "name": "script_created_process",
        "time": 0.0
      },
      {
        "name": "script_network_activity",
        "time": 0.0
      },
      {
        "name": "suspicious_js_script",
        "time": 0.0
      },
      {
        "name": "javascript_timer",
        "time": 0.0
      },
      {
        "name": "secure_login_phishing",
        "time": 0.0
      },
      {
        "name": "securityxploded_modules",
        "time": 0.0
      },
      {
        "name": "get_clipboard_data",
        "time": 0.0
      },
      {
        "name": "sets_autoconfig_url",
        "time": 0.0
      },
      {
        "name": "spoofs_procname",
        "time": 0.0
      },
      {
        "name": "stack_pivot",
        "time": 0.0
      },
      {
        "name": "stack_pivot_file_created",
        "time": 0.0
      },
      {
        "name": "stack_pivot_process_create",
        "time": 0.0
      },
      {
        "name": "set_clipboard_data",
        "time": 0.0
      },
      {
        "name": "stealth_childproc",
        "time": 0.0
      },
      {
        "name": "stealth_file",
        "time": 0.0
      },
      {
        "name": "stealth_timeout",
        "time": 0.0
      },
      {
        "name": "stealth_window",
        "time": 0.0
      },
      {
        "name": "queries_keyboard_layout",
        "time": 0.0
      },
      {
        "name": "queries_locale_api",
        "time": 0.0
      },
      {
        "name": "terminates_remote_process",
        "time": 0.0
      },
      {
        "name": "uiautomationcore_load",
        "time": 0.0
      },
      {
        "name": "user_enum",
        "time": 0.0
      },
      {
        "name": "mmc_dll_script_load",
        "time": 0.0
      },
      {
        "name": "mmc_dotnet_load",
        "time": 0.0
      },
      {
        "name": "virus",
        "time": 0.0
      },
      {
        "name": "neshta_files",
        "time": 0.0
      },
      {
        "name": "neshta_regkeys",
        "time": 0.0
      },
      {
        "name": "webmail_phish",
        "time": 0.0
      },
      {
        "name": "persists_dev_util",
        "time": 0.0
      },
      {
        "name": "spawns_dev_util",
        "time": 0.0
      },
      {
        "name": "alters_windows_utility",
        "time": 0.0
      },
      {
        "name": "overwrites_accessibility_utility",
        "time": 0.0
      },
      {
        "name": "Potential_Lateral_Movement_Via_SMBEXEC",
        "time": 0.0
      },
      {
        "name": "potential_WebShell_Via_ScreenConnectServer",
        "time": 0.0
      },
      {
        "name": "uses_Microsoft_HTML_Help_Executable",
        "time": 0.0
      },
      {
        "name": "wiper_zeroedbytes",
        "time": 0.0
      },
      {
        "name": "wmi_create_process",
        "time": 0.0
      },
      {
        "name": "wmi_script_process",
        "time": 0.0
      },
      {
        "name": "antianalysis_tls_section",
        "time": 0.0
      },
      {
        "name": "antivirus_clamav",
        "time": 0.0
      },
      {
        "name": "antivirus_virustotal",
        "time": 0.0
      },
      {
        "name": "bad_certs",
        "time": 0.0
      },
      {
        "name": "bad_ssl_certs",
        "time": 0.0
      },
      {
        "name": "banker_zeus_p2p",
        "time": 0.0
      },
      {
        "name": "banker_zeus_url",
        "time": 0.0
      },
      {
        "name": "binary_yara",
        "time": 0.0
      },
      {
        "name": "bot_athenahttp",
        "time": 0.0
      },
      {
        "name": "bot_dirtjumper",
        "time": 0.0
      },
      {
        "name": "bot_drive",
        "time": 0.0
      },
      {
        "name": "bot_drive2",
        "time": 0.0
      },
      {
        "name": "bot_madness",
        "time": 0.0
      },
      {
        "name": "phishing_kit_detected",
        "time": 0.0
      },
      {
        "name": "family_proxyback",
        "time": 0.0
      },
      {
        "name": "flare_capa_antianalysis",
        "time": 0.0
      },
      {
        "name": "flare_capa_collection",
        "time": 0.0
      },
      {
        "name": "flare_capa_communication",
        "time": 0.0
      },
      {
        "name": "flare_capa_compiler",
        "time": 0.0
      },
      {
        "name": "flare_capa_datamanipulation",
        "time": 0.0
      },
      {
        "name": "flare_capa_executable",
        "time": 0.0
      },
      {
        "name": "flare_capa_hostinteraction",
        "time": 0.0
      },
      {
        "name": "flare_capa_impact",
        "time": 0.0
      },
      {
        "name": "flare_capa_lib",
        "time": 0.0
      },
      {
        "name": "flare_capa_linking",
        "time": 0.0
      },
      {
        "name": "flare_capa_loadcode",
        "time": 0.0
      },
      {
        "name": "flare_capa_malwarefamily",
        "time": 0.0
      },
      {
        "name": "flare_capa_nursery",
        "time": 0.0
      },
      {
        "name": "flare_capa_persistence",
        "time": 0.0
      },
      {
        "name": "flare_capa_runtime",
        "time": 0.0
      },
      {
        "name": "flare_capa_targeting",
        "time": 0.0
      },
      {
        "name": "threatfox",
        "time": 0.0
      },
      {
        "name": "log4shell",
        "time": 0.0
      },
      {
        "name": "mimics_extension",
        "time": 0.0
      },
      {
        "name": "network_country_distribution",
        "time": 0.0
      },
      {
        "name": "network_cnc_http",
        "time": 0.005
      },
      {
        "name": "network_ip_exe",
        "time": 0.0
      },
      {
        "name": "network_dga",
        "time": 0.0
      },
      {
        "name": "network_dga_fraunhofer",
        "time": 0.0
      },
      {
        "name": "network_dyndns",
        "time": 0.004
      },
      {
        "name": "network_excessive_udp",
        "time": 0.0
      },
      {
        "name": "network_http",
        "time": 0.002
      },
      {
        "name": "network_icmp",
        "time": 0.0
      },
      {
        "name": "network_irc",
        "time": 0.0
      },
      {
        "name": "network_open_proxy",
        "time": 0.001
      },
      {
        "name": "network_questionable_http_path",
        "time": 0.0
      },
      {
        "name": "network_questionable_https_path",
        "time": 0.0
      },
      {
        "name": "network_smtp",
        "time": 0.0
      },
      {
        "name": "network_torgateway",
        "time": 0.002
      },
      {
        "name": "origin_langid",
        "time": 0.0
      },
      {
        "name": "origin_resource_langid",
        "time": 0.0
      },
      {
        "name": "overlay",
        "time": 0.0
      },
      {
        "name": "packer_unknown_pe_section_name",
        "time": 0.0
      },
      {
        "name": "packer_aspack",
        "time": 0.0
      },
      {
        "name": "packer_aspirecrypt",
        "time": 0.0
      },
      {
        "name": "packer_bedsprotector",
        "time": 0.0
      },
      {
        "name": "packer_confuser",
        "time": 0.0
      },
      {
        "name": "packer_enigma",
        "time": 0.0
      },
      {
        "name": "packer_entropy",
        "time": 0.0
      },
      {
        "name": "packer_mpress",
        "time": 0.0
      },
      {
        "name": "packer_nate",
        "time": 0.0
      },
      {
        "name": "packer_nspack",
        "time": 0.0
      },
      {
        "name": "packer_smartassembly",
        "time": 0.0
      },
      {
        "name": "packer_spices",
        "time": 0.0
      },
      {
        "name": "packer_themida",
        "time": 0.0
      },
      {
        "name": "packer_titan",
        "time": 0.0
      },
      {
        "name": "packer_upx",
        "time": 0.0
      },
      {
        "name": "packer_vmprotect",
        "time": 0.0
      },
      {
        "name": "packer_yoda",
        "time": 0.0
      },
      {
        "name": "pdf_annot_urls_checker",
        "time": 0.0
      },
      {
        "name": "polymorphic",
        "time": 0.0
      },
      {
        "name": "punch_plus_plus_pcres",
        "time": 0.0
      },
      {
        "name": "procmem_yara",
        "time": 0.0
      },
      {
        "name": "recon_checkip",
        "time": 0.0
      },
      {
        "name": "static_authenticode",
        "time": 0.0
      },
      {
        "name": "invalid_authenticode_signature",
        "time": 0.0
      },
      {
        "name": "static_dotnet_anomaly",
        "time": 0.0
      },
      {
        "name": "static_java",
        "time": 0.0
      },
      {
        "name": "static_pdf",
        "time": 0.0
      },
      {
        "name": "contains_pe_overlay",
        "time": 0.0
      },
      {
        "name": "static_pe_anomaly",
        "time": 0.0
      },
      {
        "name": "pe_compile_timestomping",
        "time": 0.0
      },
      {
        "name": "static_pe_pdbpath",
        "time": 0.0
      },
      {
        "name": "static_rat_config",
        "time": 0.0
      },
      {
        "name": "static_versioninfo_anomaly",
        "time": 0.0
      },
      {
        "name": "suricata_alert",
        "time": 0.0
      },
      {
        "name": "suspicious_html_body",
        "time": 0.0
      },
      {
        "name": "suspicious_html_name",
        "time": 0.0
      },
      {
        "name": "suspicious_html_title",
        "time": 0.0
      },
      {
        "name": "volatility_devicetree_1",
        "time": 0.0
      },
      {
        "name": "volatility_handles_1",
        "time": 0.0
      },
      {
        "name": "volatility_ldrmodules_1",
        "time": 0.0
      },
      {
        "name": "volatility_ldrmodules_2",
        "time": 0.0
      },
      {
        "name": "volatility_malfind_1",
        "time": 0.0
      },
      {
        "name": "volatility_malfind_2",
        "time": 0.0
      },
      {
        "name": "volatility_modscan_1",
        "time": 0.0
      },
      {
        "name": "volatility_svcscan_1",
        "time": 0.0
      },
      {
        "name": "volatility_svcscan_2",
        "time": 0.0
      },
      {
        "name": "volatility_svcscan_3",
        "time": 0.0
      },
      {
        "name": "whois_create",
        "time": 0.0
      },
      {
        "name": "accesses_mailslot",
        "time": 0.001
      },
      {
        "name": "accesses_netlogon_regkey",
        "time": 0.001
      },
      {
        "name": "accesses_public_folder",
        "time": 0.001
      },
      {
        "name": "accesses_sysvol",
        "time": 0.002
      },
      {
        "name": "writes_sysvol",
        "time": 0.0
      },
      {
        "name": "adds_admin_user",
        "time": 0.0
      },
      {
        "name": "adds_user",
        "time": 0.0
      },
      {
        "name": "overwrites_admin_password",
        "time": 0.0
      },
      {
        "name": "antianalysis_detectfile",
        "time": 0.022
      },
      {
        "name": "antianalysis_detectreg",
        "time": 0.069
      },
      {
        "name": "modify_attachment_manager",
        "time": 0.0
      },
      {
        "name": "antiav_detectfile",
        "time": 0.038
      },
      {
        "name": "antiav_detectreg",
        "time": 0.332
      },
      {
        "name": "antiav_srp",
        "time": 0.0
      },
      {
        "name": "antiav_whitespace",
        "time": 0.0
      },
      {
        "name": "antidebug_devices",
        "time": 0.007
      },
      {
        "name": "antiemu_windefend",
        "time": 0.002
      },
      {
        "name": "antiemu_wine_reg",
        "time": 0.0
      },
      {
        "name": "antisandbox_cuckoo_files",
        "time": 0.001
      },
      {
        "name": "antisandbox_fortinet_files",
        "time": 0.001
      },
      {
        "name": "antisandbox_joe_anubis_files",
        "time": 0.001
      },
      {
        "name": "antisandbox_sboxie_mutex",
        "time": 0.0
      },
      {
        "name": "antisandbox_sunbelt_files",
        "time": 0.001
      },
      {
        "name": "antisandbox_threattrack_files",
        "time": 0.002
      },
      {
        "name": "antivm_bochs_keys",
        "time": 0.006
      },
      {
        "name": "antivm_generic_bios",
        "time": 0.004
      },
      {
        "name": "antivm_generic_diskreg",
        "time": 0.014
      },
      {
        "name": "antivm_hyperv_keys",
        "time": 0.006
      },
      {
        "name": "antivm_parallels_keys",
        "time": 0.019
      },
      {
        "name": "antivm_recentdocs",
        "time": 0.0
      },
      {
        "name": "antivm_vbox_devices",
        "time": 0.003
      },
      {
        "name": "antivm_vbox_files",
        "time": 0.015
      },
      {
        "name": "antivm_vbox_keys",
        "time": 0.037
      },
      {
        "name": "antivm_vmware_devices",
        "time": 0.0
      },
      {
        "name": "antivm_vmware_files",
        "time": 0.005
      },
      {
        "name": "antivm_vmware_keys",
        "time": 0.025
      },
      {
        "name": "antivm_vmware_mutexes",
        "time": 0.0
      },
      {
        "name": "antivm_vpc_files",
        "time": 0.002
      },
      {
        "name": "antivm_vpc_keys",
        "time": 0.013
      },
      {
        "name": "antivm_vpc_mutex",
        "time": 0.0
      },
      {
        "name": "antivm_xen_keys",
        "time": 0.019
      },
      {
        "name": "asyncrat_mutex",
        "time": 0.0
      },
      {
        "name": "gulpix_behavior",
        "time": 0.0
      },
      {
        "name": "ketrican_regkeys",
        "time": 0.005
      },
      {
        "name": "okrum_mutexes",
        "time": 0.0
      },
      {
        "name": "banker_cridex",
        "time": 0.002
      },
      {
        "name": "geodo_banking_trojan",
        "time": 0.011
      },
      {
        "name": "banker_spyeye_mutexes",
        "time": 0.0
      },
      {
        "name": "banker_zeus_mutex",
        "time": 0.001
      },
      {
        "name": "bitcoin_opencl",
        "time": 0.001
      },
      {
        "name": "enumerates_physical_drives",
        "time": 0.001
      },
      {
        "name": "bot_russkill",
        "time": 0.0
      },
      {
        "name": "browser_addon",
        "time": 0.001
      },
      {
        "name": "chromium_browser_extension_directory",
        "time": 0.0
      },
      {
        "name": "browser_helper_object",
        "time": 0.0
      },
      {
        "name": "browser_security",
        "time": 0.004
      },
      {
        "name": "browser_startpage",
        "time": 0.0
      },
      {
        "name": "ie_disables_process_tab",
        "time": 0.0
      },
      {
        "name": "odbcconf_bypass",
        "time": 0.0
      },
      {
        "name": "squiblydoo_bypass",
        "time": 0.0
      },
      {
        "name": "squiblytwo_bypass",
        "time": 0.0
      },
      {
        "name": "bypass_chromium_protection",
        "time": 0.0
      },
      {
        "name": "bypass_firewall",
        "time": 0.006
      },
      {
        "name": "checks_uac_status",
        "time": 0.002
      },
      {
        "name": "uac_bypass_cmstpcom",
        "time": 0.0
      },
      {
        "name": "uac_bypass_delegateexecute_sdclt",
        "time": 0.0
      },
      {
        "name": "uac_bypass_fodhelper",
        "time": 0.0
      },
      {
        "name": "cape_extracted_content",
        "time": 0.0
      },
      {
        "name": "carberp_mutex",
        "time": 0.0
      },
      {
        "name": "clears_logs",
        "time": 0.001
      },
      {
        "name": "cmdline_obfuscation",
        "time": 0.0
      },
      {
        "name": "cmdline_switches",
        "time": 0.0
      },
      {
        "name": "cmdline_terminate",
        "time": 0.0
      },
      {
        "name": "cmdline_forfiles_wildcard",
        "time": 0.0
      },
      {
        "name": "cmdline_http_link",
        "time": 0.0
      },
      {
        "name": "cmdline_long_string",
        "time": 0.0
      },
      {
        "name": "cmdline_reversed_http_link",
        "time": 0.0
      },
      {
        "name": "long_commandline",
        "time": 0.0
      },
      {
        "name": "powershell_renamed_commandline",
        "time": 0.0
      },
      {
        "name": "copies_self",
        "time": 0.0
      },
      {
        "name": "credwiz_credentialaccess",
        "time": 0.0
      },
      {
        "name": "enables_wdigest",
        "time": 0.0
      },
      {
        "name": "vaultcmd_credentialaccess",
        "time": 0.0
      },
      {
        "name": "file_credential_store_access",
        "time": 0.002
      },
      {
        "name": "file_credential_store_write",
        "time": 0.0
      },
      {
        "name": "kerberos_credential_access_via_rubeus",
        "time": 0.0
      },
      {
        "name": "registry_credential_dumping",
        "time": 0.0
      },
      {
        "name": "registry_credential_store_access",
        "time": 0.002
      },
      {
        "name": "registry_lsa_secrets_access",
        "time": 0.001
      },
      {
        "name": "comsvcs_credentialdump",
        "time": 0.0
      },
      {
        "name": "cryptomining_stratum_command",
        "time": 0.0
      },
      {
        "name": "cypherit_mutexes",
        "time": 0.0
      },
      {
        "name": "darkcomet_regkeys",
        "time": 0.004
      },
      {
        "name": "datop_loader",
        "time": 0.0
      },
      {
        "name": "deepfreeze_mutex",
        "time": 0.0
      },
      {
        "name": "deletes_executed_files",
        "time": 0.0
      },
      {
        "name": "disables_app_launch",
        "time": 0.001
      },
      {
        "name": "disables_auto_app_termination",
        "time": 0.0
      },
      {
        "name": "disables_appv_virtualization",
        "time": 0.0
      },
      {
        "name": "disables_backups",
        "time": 0.002
      },
      {
        "name": "disables_browser_warn",
        "time": 0.003
      },
      {
        "name": "disables_context_menus",
        "time": 0.0
      },
      {
        "name": "disables_cpl_disable",
        "time": 0.0
      },
      {
        "name": "disables_crashdumps",
        "time": 0.0
      },
      {
        "name": "disables_event_logging",
        "time": 0.0
      },
      {
        "name": "disables_folder_options",
        "time": 0.0
      },
      {
        "name": "disables_notificationcenter",
        "time": 0.0
      },
      {
        "name": "disables_power_options",
        "time": 0.001
      },
      {
        "name": "disables_restore_default_state",
        "time": 0.0
      },
      {
        "name": "disables_run_command",
        "time": 0.0
      },
      {
        "name": "disables_smartscreen",
        "time": 0.001
      },
      {
        "name": "disables_startmenu_search",
        "time": 0.001
      },
      {
        "name": "disables_system_restore",
        "time": 0.001
      },
      {
        "name": "disables_uac",
        "time": 0.0
      },
      {
        "name": "disables_wer",
        "time": 0.0
      },
      {
        "name": "disables_windows_defender",
        "time": 0.001
      },
      {
        "name": "disables_windows_defender_logging",
        "time": 0.001
      },
      {
        "name": "removes_windows_defender_contextmenu",
        "time": 0.001
      },
      {
        "name": "removes_windows_defender_updates",
        "time": 0.0
      },
      {
        "name": "windows_defender_powershell",
        "time": 0.0
      },
      {
        "name": "disables_windows_file_protection",
        "time": 0.0
      },
      {
        "name": "disables_windowsupdate",
        "time": 0.0
      },
      {
        "name": "disables_winfirewall",
        "time": 0.0
      },
      {
        "name": "discover_registry_mount_points",
        "time": 0.001
      },
      {
        "name": "adfind_domain_enumeration",
        "time": 0.0
      },
      {
        "name": "domain_enumeration_commands",
        "time": 0.0
      },
      {
        "name": "andromut_mutexes",
        "time": 0.0
      },
      {
        "name": "downloader_cabby",
        "time": 0.0
      },
      {
        "name": "phorpiex_mutexes",
        "time": 0.0
      },
      {
        "name": "protonbot_mutexes",
        "time": 0.0
      },
      {
        "name": "driver_filtermanager",
        "time": 0.001
      },
      {
        "name": "dropper",
        "time": 0.0
      },
      {
        "name": "dll_archive_execution",
        "time": 0.0
      },
      {
        "name": "lnk_archive_execution",
        "time": 0.0
      },
      {
        "name": "script_archive_execution",
        "time": 0.0
      },
      {
        "name": "excel4_macro_urls",
        "time": 0.0
      },
      {
        "name": "escalate_privilege_via_ntlm_relay",
        "time": 0.0
      },
      {
        "name": "spooler_access",
        "time": 0.0
      },
      {
        "name": "spooler_svc_start",
        "time": 0.0
      },
      {
        "name": "mapped_drives_uac",
        "time": 0.0
      },
      {
        "name": "hides_recycle_bin_icon",
        "time": 0.0
      },
      {
        "name": "apocalypse_stealer_file_behavior",
        "time": 0.0
      },
      {
        "name": "arkei_files",
        "time": 0.001
      },
      {
        "name": "azorult_mutexes",
        "time": 0.001
      },
      {
        "name": "infostealer_bitcoin",
        "time": 0.024
      },
      {
        "name": "cryptbot_files",
        "time": 0.001
      },
      {
        "name": "echelon_files",
        "time": 0.001
      },
      {
        "name": "infostealer_ftp",
        "time": 0.128
      },
      {
        "name": "infostealer_im",
        "time": 0.072
      },
      {
        "name": "infostealer_mail",
        "time": 0.028
      },
      {
        "name": "masslogger_files",
        "time": 0.0
      },
      {
        "name": "poullight_files",
        "time": 0.01
      },
      {
        "name": "purplewave_mutexes",
        "time": 0.0
      },
      {
        "name": "quilclipper_mutexes",
        "time": 0.0
      },
      {
        "name": "qulab_files",
        "time": 0.008
      },
      {
        "name": "qulab_mutexes",
        "time": 0.0
      },
      {
        "name": "asyncrat_mutex",
        "time": 0.0
      },
      {
        "name": "Evade_Execution_Via_ASPNet_Compiler",
        "time": 0.0
      },
      {
        "name": "Evade_Execute_Via_DeviceCredentialDeployment",
        "time": 0.0
      },
      {
        "name": "Evade_Execution_Via_Filter_Manager_Control",
        "time": 0.0
      },
      {
        "name": "Evade_Execution_Via_Intel_GFXDownloadWrapper",
        "time": 0.0
      },
      {
        "name": "execute_binary_via_appvlp",
        "time": 0.0
      },
      {
        "name": "execute_binary_via_pcalua",
        "time": 0.0
      },
      {
        "name": "Execute_Binary_Via_OpenSSH",
        "time": 0.0
      },
      {
        "name": "execute_binary_via_pcalua",
        "time": 0.0
      },
      {
        "name": "Execute_Binary_Via_PesterPSModule",
        "time": 0.0
      },
      {
        "name": "Execute_Binary_Via_ScriptRunner",
        "time": 0.0
      },
      {
        "name": "execute_binary_via_ttdinject",
        "time": 0.0
      },
      {
        "name": "Execute_Binary_Via_VisualStudioLiveShare",
        "time": 0.0
      },
      {
        "name": "Execute_Msiexec_Via_Explorer",
        "time": 0.0
      },
      {
        "name": "execute_remote_msi",
        "time": 0.0
      },
      {
        "name": "execute_suspicious_powershell_via_runscripthelper",
        "time": 0.0
      },
      {
        "name": "execute_suspicious_powershell_via_sqlps",
        "time": 0.0
      },
      {
        "name": "Indirect_Command_Execution_Via_ConsoleWindowHost",
        "time": 0.0
      },
      {
        "name": "Perform_Malicious_Activities_Via_Headless_Browser",
        "time": 0.0
      },
      {
        "name": "Register_DLL_Via_CertOC",
        "time": 0.0
      },
      {
        "name": "Register_DLL_Via_MSIEXEC",
        "time": 0.0
      },
      {
        "name": "Register_DLL_Via_Odbcconf",
        "time": 0.0
      },
      {
        "name": "Scriptlet_Proxy_Execution_Via_Pubprn",
        "time": 0.0
      },
      {
        "name": "ie_martian_children",
        "time": 0.0
      },
      {
        "name": "office_martian_children",
        "time": 0.0
      },
      {
        "name": "mimics_icon",
        "time": 0.0
      },
      {
        "name": "masquerade_process_name",
        "time": 0.036
      },
      {
        "name": "mimikatz_modules",
        "time": 0.0
      },
      {
        "name": "ms_office_cmd_rce",
        "time": 0.0
      },
      {
        "name": "mount_copy_to_webdav_share",
        "time": 0.0
      },
      {
        "name": "potential_protocol_tunneling_via_legit_utilities",
        "time": 0.0
      },
      {
        "name": "potential_protocol_tunneling_via_qemu",
        "time": 0.0
      },
      {
        "name": "suspicious_execution_via_dotnet_remoting",
        "time": 0.0
      },
      {
        "name": "modify_certs",
        "time": 0.0
      },
      {
        "name": "dotnet_clr_usagelog_regkeys",
        "time": 0.0
      },
      {
        "name": "modify_hostfile",
        "time": 0.0
      },
      {
        "name": "modify_oem_information",
        "time": 0.0
      },
      {
        "name": "modify_security_center_warnings",
        "time": 0.001
      },
      {
        "name": "modify_uac_prompt",
        "time": 0.001
      },
      {
        "name": "network_dns_blockchain",
        "time": 0.0
      },
      {
        "name": "network_dns_opennic",
        "time": 0.001
      },
      {
        "name": "network_dns_paste_site",
        "time": 0.001
      },
      {
        "name": "network_dns_reverse_proxy",
        "time": 0.0
      },
      {
        "name": "network_dns_temp_file_storage",
        "time": 0.001
      },
      {
        "name": "network_dns_temp_urldns",
        "time": 0.0
      },
      {
        "name": "network_dns_url_shortener",
        "time": 0.01
      },
      {
        "name": "network_dns_doh_tls",
        "time": 0.001
      },
      {
        "name": "suspicious_tld",
        "time": 0.008
      },
      {
        "name": "network_tor_service",
        "time": 0.001
      },
      {
        "name": "office_code_page",
        "time": 0.0
      },
      {
        "name": "office_addinloading",
        "time": 0.0
      },
      {
        "name": "office_perfkey",
        "time": 0.0
      },
      {
        "name": "office_macro",
        "time": 0.0
      },
      {
        "name": "changes_trust_center_settings",
        "time": 0.0
      },
      {
        "name": "disables_vba_trust_access",
        "time": 0.0
      },
      {
        "name": "office_macro_autoexecution",
        "time": 0.0
      },
      {
        "name": "office_macro_ioc",
        "time": 0.0
      },
      {
        "name": "office_macro_malicious_prediction",
        "time": 0.0
      },
      {
        "name": "office_macro_suspicious",
        "time": 0.0
      },
      {
        "name": "rtf_aslr_bypass",
        "time": 0.0
      },
      {
        "name": "rtf_anomaly_characterset",
        "time": 0.0
      },
      {
        "name": "rtf_anomaly_version",
        "time": 0.0
      },
      {
        "name": "rtf_embedded_content",
        "time": 0.0
      },
      {
        "name": "rtf_embedded_office_file",
        "time": 0.0
      },
      {
        "name": "rtf_exploit_static",
        "time": 0.0
      },
      {
        "name": "office_security",
        "time": 0.001
      },
      {
        "name": "accesses_office_username",
        "time": 0.001
      },
      {
        "name": "office_anomalous_feature",
        "time": 0.0
      },
      {
        "name": "office_dde_command",
        "time": 0.0
      },
      {
        "name": "packer_armadillo_mutex",
        "time": 0.0
      },
      {
        "name": "packer_armadillo_regkey",
        "time": 0.001
      },
      {
        "name": "persistence_ads",
        "time": 0.0
      },
      {
        "name": "persistence_safeboot",
        "time": 0.0
      },
      {
        "name": "persistence_ifeo",
        "time": 0.0
      },
      {
        "name": "persistence_silent_process_exit",
        "time": 0.0
      },
      {
        "name": "persistence_rdp_registry",
        "time": 0.0
      },
      {
        "name": "persistence_rdp_shadowing",
        "time": 0.0
      },
      {
        "name": "persistence_service",
        "time": 0.0
      },
      {
        "name": "persistence_shim_database",
        "time": 0.001
      },
      {
        "name": "powerpool_mutexes",
        "time": 0.0
      },
      {
        "name": "powershell_scriptblock_logging",
        "time": 0.0
      },
      {
        "name": "powershell_command_suspicious",
        "time": 0.0
      },
      {
        "name": "powershell_history_save_mod",
        "time": 0.0
      },
      {
        "name": "powershell_renamed",
        "time": 0.0
      },
      {
        "name": "powershell_reversed",
        "time": 0.0
      },
      {
        "name": "powershell_variable_obfuscation",
        "time": 0.0
      },
      {
        "name": "prevents_safeboot",
        "time": 0.0
      },
      {
        "name": "cmdline_process_discovery",
        "time": 0.0
      },
      {
        "name": "cryptomix_mutexes",
        "time": 0.0
      },
      {
        "name": "dharma_mutexes",
        "time": 0.0
      },
      {
        "name": "ransomware_extensions_generic",
        "time": 0.0
      },
      {
        "name": "ransomware_extensions_known",
        "time": 0.009
      },
      {
        "name": "ransomware_files",
        "time": 0.014
      },
      {
        "name": "fonix_mutexes",
        "time": 0.0
      },
      {
        "name": "gandcrab_mutexes",
        "time": 0.0
      },
      {
        "name": "germanwiper_mutexes",
        "time": 0.0
      },
      {
        "name": "medusalocker_mutexes",
        "time": 0.0
      },
      {
        "name": "medusalocker_regkeys",
        "time": 0.002
      },
      {
        "name": "nemty_mutexes",
        "time": 0.0
      },
      {
        "name": "nemty_regkeys",
        "time": 0.001
      },
      {
        "name": "pysa_mutexes",
        "time": 0.0
      },
      {
        "name": "ransomware_radamant",
        "time": 0.001
      },
      {
        "name": "ransomware_recyclebin",
        "time": 0.0
      },
      {
        "name": "revil_mutexes",
        "time": 0.001
      },
      {
        "name": "ransomware_revil_regkey",
        "time": 0.0
      },
      {
        "name": "satan_mutexes",
        "time": 0.001
      },
      {
        "name": "snake_ransom_mutexes",
        "time": 0.0
      },
      {
        "name": "stop_ransom_mutexes",
        "time": 0.0
      },
      {
        "name": "stop_ransomware_cmd",
        "time": 0.0
      },
      {
        "name": "ransomware_stopdjvu",
        "time": 0.0
      },
      {
        "name": "rat_beebus_mutexes",
        "time": 0.0
      },
      {
        "name": "blacknet_mutexes",
        "time": 0.0
      },
      {
        "name": "blackrat_mutexes",
        "time": 0.0
      },
      {
        "name": "crat_mutexes",
        "time": 0.001
      },
      {
        "name": "dcrat_files",
        "time": 0.001
      },
      {
        "name": "dcrat_mutexes",
        "time": 0.0
      },
      {
        "name": "rat_fynloski_mutexes",
        "time": 0.0
      },
      {
        "name": "limerat_mutexes",
        "time": 0.0
      },
      {
        "name": "limerat_regkeys",
        "time": 0.005
      },
      {
        "name": "lodarat_file_behavior",
        "time": 0.0
      },
      {
        "name": "modirat_behavior",
        "time": 0.001
      },
      {
        "name": "njrat_regkeys",
        "time": 0.0
      },
      {
        "name": "obliquerat_files",
        "time": 0.002
      },
      {
        "name": "obliquerat_mutexes",
        "time": 0.0
      },
      {
        "name": "parallax_mutexes",
        "time": 0.0
      },
      {
        "name": "rat_pcclient",
        "time": 0.003
      },
      {
        "name": "rat_plugx_mutexes",
        "time": 0.0
      },
      {
        "name": "rat_poisonivy_mutexes",
        "time": 0.0
      },
      {
        "name": "rat_quasar_mutexes",
        "time": 0.0
      },
      {
        "name": "ratsnif_mutexes",
        "time": 0.0
      },
      {
        "name": "rat_spynet",
        "time": 0.001
      },
      {
        "name": "venomrat_mutexes",
        "time": 0.0
      },
      {
        "name": "warzonerat_files",
        "time": 0.001
      },
      {
        "name": "warzonerat_regkeys",
        "time": 0.002
      },
      {
        "name": "xpertrat_files",
        "time": 0.0
      },
      {
        "name": "xpertrat_mutexes",
        "time": 0.0
      },
      {
        "name": "rat_xtreme_mutexes",
        "time": 0.0
      },
      {
        "name": "reads_password_database",
        "time": 0.002
      },
      {
        "name": "recon_fingerprint",
        "time": 0.005
      },
      {
        "name": "remcos_files",
        "time": 0.001
      },
      {
        "name": "remcos_mutexes",
        "time": 0.0
      },
      {
        "name": "remcos_regkeys",
        "time": 0.003
      },
      {
        "name": "rdptcp_key",
        "time": 0.0
      },
      {
        "name": "uses_rdp_clip",
        "time": 0.0
      },
      {
        "name": "uses_remote_desktop_session",
        "time": 0.0
      },
      {
        "name": "removes_networking_icon",
        "time": 0.0
      },
      {
        "name": "removes_pinned_programs",
        "time": 0.0
      },
      {
        "name": "removes_security_maintenance_icon",
        "time": 0.0
      },
      {
        "name": "removes_startmenu_defaults",
        "time": 0.001
      },
      {
        "name": "removes_username_startmenu",
        "time": 0.0
      },
      {
        "name": "spicyhotpot_behavior",
        "time": 0.0
      },
      {
        "name": "sniffer_winpcap",
        "time": 0.002
      },
      {
        "name": "spreading_autoruninf",
        "time": 0.001
      },
      {
        "name": "stealth_hidden_extension",
        "time": 0.0
      },
      {
        "name": "stealth_hiddenreg",
        "time": 0.001
      },
      {
        "name": "stealth_hide_notifications",
        "time": 0.001
      },
      {
        "name": "stealth_webhistory",
        "time": 0.0
      },
      {
        "name": "sysinternals_psexec",
        "time": 0.0
      },
      {
        "name": "sysinternals_tools",
        "time": 0.0
      },
      {
        "name": "language_check_registry",
        "time": 0.001
      },
      {
        "name": "tampers_etw",
        "time": 0.001
      },
      {
        "name": "lsa_tampering",
        "time": 0.0
      },
      {
        "name": "tampers_powershell_logging",
        "time": 0.0
      },
      {
        "name": "targeted_flame",
        "time": 0.002
      },
      {
        "name": "territorial_disputes_sigs",
        "time": 0.113
      },
      {
        "name": "trickbot_mutex",
        "time": 0.0
      },
      {
        "name": "fleercivet_mutex",
        "time": 0.0
      },
      {
        "name": "lokibot_mutexes",
        "time": 0.001
      },
      {
        "name": "ursnif_behavior",
        "time": 0.001
      },
      {
        "name": "uses_adfind",
        "time": 0.0
      },
      {
        "name": "uses_ms_protocol",
        "time": 0.0
      },
      {
        "name": "neshta_mutexes",
        "time": 0.0
      },
      {
        "name": "renamer_mutexes",
        "time": 0.0
      },
      {
        "name": "owa_web_shell_files",
        "time": 0.0
      },
      {
        "name": "web_shell_files",
        "time": 0.0
      },
      {
        "name": "web_shell_processes",
        "time": 0.0
      },
      {
        "name": "dotnet_csc_build",
        "time": 0.0
      },
      {
        "name": "mavinject_lolbin",
        "time": 0.0
      },
      {
        "name": "multiple_explorer_instances",
        "time": 0.0
      },
      {
        "name": "script_tool_executed",
        "time": 0.0
      },
      {
        "name": "suspicious_certutil_use",
        "time": 0.0
      },
      {
        "name": "suspicious_command_tools",
        "time": 0.002
      },
      {
        "name": "suspicious_mpcmdrun_use",
        "time": 0.0
      },
      {
        "name": "suspicious_ping_use",
        "time": 0.0
      },
      {
        "name": "uses_powershell_copyitem",
        "time": 0.0
      },
      {
        "name": "uses_windows_utilities",
        "time": 0.002
      },
      {
        "name": "uses_windows_utilities_appcmd",
        "time": 0.0
      },
      {
        "name": "uses_windows_utilities_csvde_ldifde",
        "time": 0.0
      },
      {
        "name": "uses_windows_utilities_cipher",
        "time": 0.0
      },
      {
        "name": "uses_windows_utilities_clickonce",
        "time": 0.0
      },
      {
        "name": "uses_windows_utilities_curl",
        "time": 0.0
      },
      {
        "name": "uses_windows_utilities_dsquery",
        "time": 0.0
      },
      {
        "name": "uses_windows_utilities_esentutl",
        "time": 0.0
      },
      {
        "name": "uses_windows_utilities_finger",
        "time": 0.0
      },
      {
        "name": "uses_windows_utilities_mode",
        "time": 0.0
      },
      {
        "name": "uses_windows_utilities_ntdsutil",
        "time": 0.0
      },
      {
        "name": "uses_windows_utilities_nltest",
        "time": 0.0
      },
      {
        "name": "uses_windows_utilities_setx",
        "time": 0.0
      },
      {
        "name": "uses_windows_utilities_xcopy",
        "time": 0.0
      },
      {
        "name": "wmic_command_suspicious",
        "time": 0.0
      },
      {
        "name": "scrcons_wmi_script_consumer",
        "time": 0.0
      },
      {
        "name": "allaple_mutexes",
        "time": 0.0
      }
    ],
    "reporting": [
      {
        "name": "BinGraph",
        "time": 0.0
      }
    ]
  },
  "target": {
    "category": "file",
    "file": {
      "name": "NanoCore.exe",
      "path": "/opt/CAPEv2/storage/binaries/ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b",
      "guest_paths": "",
      "size": 1442816,
      "crc32": "F92B088C",
      "md5": "1728acc244115cbafd3b810277d2e321",
      "sha1": "be64732f46c8a26a5bbf9d7f69c7f031b2c5180b",
      "sha256": "ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b",
      "sha512": "8c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034",
      "rh_hash": null,
      "ssdeep": "24576:d7dOT1b7eAJzjSTUd+21nm3kEvpqZ0vSxmfexX6shz07DTl/uz:d7dqVw2+2KkS4PmGX6og7",
      "type": "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows",
      "yara": [
        {
          "name": "COD3NYM_SUSP_OBF_NET_Reactor_Indicators_Jan24",
          "meta": {
            "description": "Detects indicators of .NET Reactors managed obfuscation. Reactor is a commercial obfuscation solution, pirated versions are often abused by threat actors.",
            "author": "Jonathan Peters",
            "id": "8dc07bbd-cbeb-5214-a27a-555a0d396197",
            "date": "2024-01-09",
            "modified": "2024-01-12",
            "reference": "https://www.eziriz.com/dotnet_reactor.htm",
            "source_url": "https://github.com/cod3nym/detection-rules//blob/86a04c4594cb48895192aad4af164f21f568c136/yara/dotnet/obf_net_reactor.yar#L18-L34",
            "license_url": "https://github.com/cod3nym/detection-rules//blob/86a04c4594cb48895192aad4af164f21f568c136/LICENSE.md",
            "hash": "be842a9de19cfbf42ea5a94e3143d58390a1abd1e72ebfec5deeb8107dddf038",
            "logic_hash": "40a03eb487e2c02a032c4bfb51580dbb764e0a49ceee5ae92c54a5ee3ede9696",
            "score": 65,
            "quality": 80,
            "tags": "FILE"
          },
          "strings": [
            "3{\u00001\u00001\u00001\u00001\u00001\u0000-\u00002\u00002\u00002\u00002\u00002\u0000-\u00005\u00000\u00000\u00000\u00001\u0000-\u00000\u00000\u00000\u00000\u00000\u0000}\u0000",
            "3{\u00001\u00001\u00001\u00001\u00001\u0000-\u00002\u00002\u00002\u00002\u00002\u0000-\u00004\u00000\u00000\u00000\u00001\u0000-\u00000\u00000\u00000\u00000\u00001\u0000}\u0000",
            "3{\u00001\u00001\u00001\u00001\u00001\u0000-\u00002\u00002\u00002\u00002\u00002\u0000-\u00004\u00000\u00000\u00000\u00001\u0000-\u00000\u00000\u00000\u00000\u00002\u0000}\u0000",
            "<PrivateImplementationDetails>{F4B45B4B-739C-406C-A9CF-5A589EA4A5AC}",
            "<Module>{6F53801E-7E6B-4CF6-ADA6-069C03F41663}"
          ],
          "addresses": {
            "": 371702
          }
        },
        {
          "name": "DITEKSHEN_MALWARE_Win_Nanocore",
          "meta": {
            "description": "Detects NanoCore",
            "author": "ditekSHen",
            "id": "931b98f6-df2b-538b-bc49-ecbbd24334da",
            "date": "2020-11-06",
            "modified": "2024-11-01",
            "reference": "https://github.com/ditekshen/detection",
            "source_url": "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7654-L7681",
            "license_url": "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt",
            "logic_hash": "6336260e0af2b4b51338ee066f41b7c58aa134a6c03ca110db7e088edf2b65a7",
            "score": 75,
            "quality": 75,
            "tags": "FILE"
          },
          "strings": [
            "NanoCore.ClientPlugin",
            "NanoCore.ClientPluginHost",
            "IClientApp",
            "IClientData",
            "IClientNetwork",
            "IClientAppHost",
            "IClientDataHost",
            "IClientLoggingHost",
            "IClientNetworkHost",
            "IClientUIHost",
            "ClientPlugin",
            "EndPoint",
            "IPAddress",
            "IPEndPoint"
          ],
          "addresses": {
            "x2": 487245,
            "x3": 487294,
            "i1": 487234,
            "i2": 487404,
            "i3": 487335,
            "i4": 487320,
            "i5": 487369,
            "i6": 487350,
            "i7": 487385,
            "i8": 487280,
            "s1": 487267,
            "s2": 475545,
            "s3": 409254,
            "s4": 409264
          }
        },
        {
          "name": "Windows_Trojan_Nanocore_d8c4e3c5",
          "meta": {
            "author": "Elastic Security",
            "id": "d8c4e3c5-8bcc-43d2-9104-fa3774282da5",
            "fingerprint": "e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4",
            "creation_date": "2021-06-13",
            "last_modified": "2021-08-23",
            "threat_name": "Windows.Trojan.Nanocore",
            "reference_sample": "b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd",
            "severity": 100,
            "arch_context": "x86, arm64",
            "scan_context": "file, memory",
            "license": "Elastic License v2",
            "os": "windows"
          },
          "strings": [
            "NanoCore.ClientPluginHost",
            "NanoCore.ClientPlugin",
            "get_BuilderSettings",
            "PluginCommand",
            "IClientAppHost",
            "GetBlockHash",
            "IClientLoggingHost"
          ],
          "addresses": {
            "a1": 487294,
            "a2": 487245,
            "b1": 401250,
            "b3": 371616,
            "b4": 487320,
            "b5": 513946,
            "b9": 487350
          }
        },
        {
          "name": "IsPE32",
          "meta": {},
          "strings": [],
          "addresses": {}
        },
        {
          "name": "IsNET_EXE",
          "meta": {},
          "strings": [],
          "addresses": {}
        },
        {
          "name": "IsWindowsGUI",
          "meta": {},
          "strings": [],
          "addresses": {}
        },
        {
          "name": "IsPacked",
          "meta": {
            "description": "Entropy Check"
          },
          "strings": [],
          "addresses": {}
        },
        {
          "name": "Microsoft_Visual_Studio_NET",
          "meta": {},
          "strings": [
            "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }"
          ],
          "addresses": {
            "a": 1422542
          }
        },
        {
          "name": "Microsoft_Visual_C_v70_Basic_NET_additional",
          "meta": {},
          "strings": [
            "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }"
          ],
          "addresses": {
            "a": 1422542
          }
        },
        {
          "name": "Microsoft_Visual_C_Basic_NET",
          "meta": {},
          "strings": [
            "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }"
          ],
          "addresses": {
            "b": 1422542
          }
        },
        {
          "name": "Microsoft_Visual_Studio_NET_additional",
          "meta": {},
          "strings": [
            "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }"
          ],
          "addresses": {
            "a": 1422542
          }
        },
        {
          "name": "Microsoft_Visual_C_v70_Basic_NET",
          "meta": {},
          "strings": [
            "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }"
          ],
          "addresses": {
            "b": 1422542
          }
        },
        {
          "name": "NET_executable_",
          "meta": {},
          "strings": [
            "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }"
          ],
          "addresses": {
            "a": 1422542
          }
        },
        {
          "name": "NET_executable",
          "meta": {},
          "strings": [
            "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }"
          ],
          "addresses": {
            "b": 1422542
          }
        }
      ],
      "cape_yara": [],
      "clamav": [],
      "tlsh": "T1C765BE01A6B2CF2AD3D86A3981ABC22C4B51D973F323B75B1F2E74642C5223B4D417D6",
      "sha3_384": "1d00cceb26b3a28d6e18293142b7959c281cbfd500ff0475884d72dcef42f75f307f14fb8e2ba2377877f390b924b7b9",
      "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d",
      "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
      "pe": {
        "guest_signers": {
          "aux_sha1": null,
          "aux_timestamp": null,
          "aux_valid": false,
          "aux_error": true,
          "aux_error_desc": "No signature found.",
          "aux_signers": []
        },
        "digital_signers": [],
        "imagebase": "0x00400000",
        "entrypoint": "0x0015d0ce",
        "ep_bytes": "ff250020400000000000000000000000",
        "peid_signatures": null,
        "reported_checksum": "0x00000000",
        "actual_checksum": "0x00169eed",
        "osversion": "4.0",
        "machine_type": "IMAGE_FILE_MACHINE_I386",
        "pdbpath": null,
        "imports": {
          "mscoree": {
            "dll": "mscoree.dll",
            "imports": [
              {
                "address": "0x402000",
                "name": "_CorExeMain"
              }
            ]
          }
        },
        "exported_dll_name": null,
        "exports": [],
        "dirents": [
          {
            "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
            "virtual_address": "0x0015d080",
            "size": "0x0000004b"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
            "virtual_address": "0x00160000",
            "size": "0x000049d8"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
            "virtual_address": "0x00166000",
            "size": "0x0000000c"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_TLS",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_IAT",
            "virtual_address": "0x00002000",
            "size": "0x00000008"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
            "virtual_address": "0x00002008",
            "size": "0x00000048"
          }
        ],
        "sections": [
          {
            "name": ".text",
            "raw_address": "0x00000400",
            "virtual_address": "0x00002000",
            "virtual_size": "0x0015b0d4",
            "size_of_data": "0x0015b200",
            "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
            "characteristics_raw": "0x60000020",
            "entropy": "7.47"
          },
          {
            "name": ".sdata",
            "raw_address": "0x0015b600",
            "virtual_address": "0x0015e000",
            "virtual_size": "0x000001e8",
            "size_of_data": "0x00000200",
            "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
            "characteristics_raw": "0xc0000040",
            "entropy": "6.61"
          },
          {
            "name": ".rsrc",
            "raw_address": "0x0015b800",
            "virtual_address": "0x00160000",
            "virtual_size": "0x000049d8",
            "size_of_data": "0x00004a00",
            "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
            "characteristics_raw": "0x40000040",
            "entropy": "5.50"
          },
          {
            "name": ".reloc",
            "raw_address": "0x00160200",
            "virtual_address": "0x00166000",
            "virtual_size": "0x0000000c",
            "size_of_data": "0x00000200",
            "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
            "characteristics_raw": "0x42000040",
            "entropy": "0.10"
          }
        ],
        "overlay": null,
        "resources": [
          {
            "name": "RT_ICON",
            "offset": "0x00160190",
            "size": "0x000025a8",
            "filetype": null,
            "language": "LANG_NEUTRAL",
            "sublanguage": "SUBLANG_NEUTRAL",
            "entropy": "5.05"
          },
          {
            "name": "RT_ICON",
            "offset": "0x00162738",
            "size": "0x000010a8",
            "filetype": null,
            "language": "LANG_NEUTRAL",
            "sublanguage": "SUBLANG_NEUTRAL",
            "entropy": "5.14"
          },
          {
            "name": "RT_ICON",
            "offset": "0x001637e0",
            "size": "0x00000468",
            "filetype": null,
            "language": "LANG_NEUTRAL",
            "sublanguage": "SUBLANG_NEUTRAL",
            "entropy": "5.26"
          },
          {
            "name": "RT_GROUP_ICON",
            "offset": "0x00163c48",
            "size": "0x00000030",
            "filetype": null,
            "language": "LANG_NEUTRAL",
            "sublanguage": "SUBLANG_NEUTRAL",
            "entropy": "2.49"
          },
          {
            "name": "RT_VERSION",
            "offset": "0x00163c78",
            "size": "0x0000025c",
            "filetype": null,
            "language": "LANG_NEUTRAL",
            "sublanguage": "SUBLANG_NEUTRAL",
            "entropy": "3.24"
          },
          {
            "name": "RT_MANIFEST",
            "offset": "0x00163ed4",
            "size": "0x00000b01",
            "filetype": null,
            "language": "LANG_NEUTRAL",
            "sublanguage": "SUBLANG_NEUTRAL",
            "entropy": "5.03"
          }
        ],
        "versioninfo": [
          {
            "name": "Translation",
            "value": "0x0000 0x04b0"
          },
          {
            "name": "FileDescription",
            "value": "NanoCore"
          },
          {
            "name": "FileVersion",
            "value": "1.2.2.0"
          },
          {
            "name": "InternalName",
            "value": "NanoCore.exe"
          },
          {
            "name": "LegalCopyright",
            "value": " "
          },
          {
            "name": "OriginalFilename",
            "value": "NanoCore.exe"
          },
          {
            "name": "ProductVersion",
            "value": "1.2.2.0"
          },
          {
            "name": "Assembly Version",
            "value": "1.2.2.0"
          }
        ],
        "imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
        "timestamp": "2015-07-01 07:55:53",
        "icon": "iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAITklEQVR4nOVZa2wU1xX+7h2v7fUD1l5s4wfGNjQGFYwa1EaoAaWojbAipCotbRVI1bRVQKmSqmqJMIqhDQZSIqUPpU1+lLQlESGlDVHViOZPSEGCJm5CIDiQ2jz8Xtvs+rFr72Pm3tMfM7M7M/v0g6hVj3XsuzPnzjnfud859+4Y+B8Xdiceyu9r53XNd399Ud3aRwBgovfD3w31XDol3zkgF9rXggOo/vbL93jqW55zL121QSKPAQAnlWaGPz7jv9H5w7ETO68spL8FA1D50NHaxTXNB0vqWh4mxc1T2XAxI6f6Lx8d7+/a5//TLt9C+J03gIL7O4prV33hsdLaNXt50RIP5eBQTI/6Q4NdB/u6zr+gvf2zyHz8zwtAzSMntpY33v2sy1PfnAicAaCsYwZCLHCzy3/j/d2+YztOzzWGOQGo3PGHdeX1a591VzV/RUKZq28AgAKB0PDHp8d7L+8ee/X7XbOdPysA7tZnvLWrN/y0pHr1o5Rfkj9bZxkDiYViwaErvx269l5H+PQef87zcrLatNdV17x+V3nj+nZeVFGRjedzFQZAhHy+yb5L+/qudh7FucNZ225mAJvaWHXT2i2eZWuOFHob18g7FbkzKEaI3r7x4cTg1R8PX798BmcPp/WcFoD3Gy+uXtL0ucPuipVbJXOlbIt3WriMyZnR7lO3b15qC5zc1Z3KJgkAv6+9tKHl3qdKa9Y8Tvkl7jsfZnZhsWB4auCjX/Z2XTggzzwdtt2zWW7ay+6654E33dWfbSX6lPiSozDGEPF1Hf/kyBe3W6/bqFG17DNNRZUr7ycpAaL/KiUp4V6y4ptVO37fZI05z/ohv7A4HzxP0ZOffTP61MeKS8kvKC5IC0AXCZCVWZRxXFNKKMiz2/uChLDGkuyrSwiFLvM6AWDwBaVhm90XGNmupgZAhCSrdEISHZsFVlTkgYhgrtzZ7hj2n2GAUmgz37NhGs0VXA/foMb+N4bQGW0AuCsHf5TUdZLbI5nZIQAy61hKCSlFXIUQuHeFC18uuwFSZ2z2UkoIoUFoumpCgCKTUAcvgrRIdr8pGosDABmZlIZmH+sLYc7TVQgNP2hthHe8ExSbttgTJMFmSwyQ6gzUkSsgLZLdr4MeDgAsgTTX7mA8lByBuV1A29dWQ+09r6+EsbK24EmvAzAOqGFoo9cALZreH7JSKGGYs5IzeMQ/tyxfhAc/XwW1vxOkho1HJwNgYAA4SI1Au90NiFhaX1koZIKQOSuZWZXJ2dWEhp2tzahfDGiD7wNCdQAlMMYAi5IWhea/roNw+oNM6i9JABK8y1WRlkZEBEgVe7etgyKjkGoE0rZiOinICULEoAV6QTbAumakkN4F50IhuxYUuG3gmirz8dCmBsPeDhIAGDj0+ksoiRjE5AAg1dwpxGZNIYr3dGv2X33rIjhX4r1eCIHtG5ehxluavEKMGTFz2yowxgChQk75AKEaFEreyFLvAzmrTFHEhH/eCOH0uzfBAIMyBE2NosiVoQsZhQxm+cs4SKqQoTFACiA7hWbD/Qw1wTie/3sP/MEEh0H6RmbtVCYlbHUADjDjmnFPSg1i2g+SwiR6mhUg89fs1A5AAmAISxcOvnYRCs9L4n2iUcBOmTTKGANIQIYnQCKWpQbi1MixjSYFp5/dAYaPfBreuHBL7yypOpdtH7Bqoqht90gae0RaCgHxs0dinTOOUwWm85oBTMHRfwzCNxF1lI+zBpyqrwxz3ouDSUchWB5u/mQZJ+ZY5yYeHaV8HH79KhjPc4A1uxBAhtq5wAButFQzaANYZgrN5SzkzGo8a3o36Q4AJ8/3gXOeogtZArbMAWMpNzm9YyXE9n2AbBQxScXSj4nw1gdDKFOCRqb0YIYDM5Yl1/N07MIYQAIuTnE7ABgISADcwnULoHgdmNe4xSYFAD02o4gtsDKNT/V6IfwTkOEJo5Nwi1oyxwtw7F9hy/WEDUvJc2fwidqwim091GhYAwkZb4/WVpl2DPDyRvCisrRtMLkAEwExZ9DxIoZRHxYaEYlYNKKlBTDS19MTGR86qS+EvctkGgMM3LMcKCwzNiCz8CxnG2Yqt2xaCZ7HFalAMzDOEZ0afW104FaPNWbnzgz+pX3u+lXrnywqr/0J8fySRKHlIgQxOQiKhcBMiphHBRtlnDRLfHbSkDEORupUcKz/4ED3pV/h7KFoRgCmlG/7TUPZ0qaOQk/1twTN4h06EWRwGBSbSQouc/BMP5Va7iscajToP+4fur5v4vUn+lK5SwsAALCxjVU3rt5Y4q15zlVasV6KXP9HR5DBEZAWBhxBJTKcGhwxDkXJgzodeDcUGH7C98p338vkKTMAUza18bqVLd8pqajvQJ67On5kgtHzU40ByOnbgBZJDhjc2KS4sSL6Pc4VkBbpnRrre2r41ifHce6Zeb5ed0jhlkOemhVr9xYsqnxMsrzi7DMINDMO0qIZ6cQYB4OYDk+O/WLw+pUj2ttPB3ONaVYATPFue+Euz9KGnxcurvqqJkR2EJEp4xSZyLaZeUVREA0F/jwxOrAn8JfHr882ljkBMKVyx0utnsrlh5XCReukpAz7NoGiIUBqcQAKV6BFQx8EA8M/Gjn+6Nm5xjAvAACgbN6XX7ey5Xtuz9IDxF3e5C99hhBA6gwYSTCpjoTGR9qH+3r+KN/piKWekJvMG4Apngd/XeGtXdFeUFK+S5NI+aJTYaSGAwPPB3y9HVN/3R1YCL8LBsCUpdtfWlPirTniKvZsEUIyAFA4l7HpwJtTY/1Pjp3YeW0h/S04AABQNu/nFXWNWz1VDQ+TJDE52vuK79a//4Zzh2azrf9/yH8AIWsDxKzjZSMAAAAASUVORK5CYII=",
        "icon_hash": "9c277b84ad2feebee2cd22adbff22291",
        "icon_fuzzy": "59f4472af565251bed0c3b75f443cba7",
        "icon_dhash": "70f0aaa8e8aaf870",
        "imported_dll_count": 1
      },
      "data": null,
      "strings": [
        "DR6WhqGPQoexL72YWJKb",
        "cmDqUGjq5k",
        "MWCrFXifOa",
        "M1oGTqAKvFXLQDONE9u",
        "YIPVJ2<%",
        "PDglnKvVuQpicZn8kln",
        "L5PAjVxMJ1",
        "ReadInt16",
        "StringCollection",
        "_Lambda$__2",
        "AuA50kr1QI",
        "[>Hc*",
        "cq1PW361kHdT7wB5ntm",
        "VsRcLnjUqTRgB5vwH8V",
        "ihHLeEMYGE0yyZ0bE3q",
        "aMiJiix3yamEn2BtkP7",
        "LH5SSrGxNdDa29HUEW9e",
        "5- !E",
        "$WMM%0Q",
        "B6enGQIy4VbYERUgp6Y",
        ";4uTcC",
        "EndPoint",
        "(cLfo7",
        "tJehBRT99V1Z0fjrV6n",
        "RPUgfeGLekN5jaxDjVgB",
        "MuLQmCeohu",
        "f0NdCLOHLDuqgOs0g26",
        "q8HDDYnRvo",
        "\\2 [\\",
        "lr1v2yGyHDyIw6avD82K",
        "vTbgF",
        ".xEvE",
        "TextRenderingHint",
        "+B-SW:",
        "SZltwq4xkGvtOXZkh6D",
        "T=&~VW",
        "uJJecYv90h",
        "azO{j)",
        "SZ91NRf45i",
        "r90yFdAvYxUv0LutPHb",
        "_Lambda$__67",
        "RK5umIGnuptmfvCNeAN1",
        "mLFB2mfbDQ",
        "nxxjAZsao3",
        "set_KeepAlive",
        "IYLZ3FDDVxM58pIuRbx",
        "LVNOhEATYorYmX7b3Ek",
        "pFhwM3GM45mvP5VqwuMV",
        "*+%RVM1",
        "aWlYtI10QfYyBsIixlc",
        "EnableListener",
        "\"@7JW",
        "MEA87jpSNxiQt1Z7Uhe",
        "USqw7nsoCg",
        "GPeAfdGXs1dO4SQXsT2P",
        "jNiVlfvWAYw5cE4EalS",
        "R~xES",
        "ListView",
        "S|IpA",
        "xhBFJIJNWhlhyL19eMR",
        "RLc?c<",
        "X8olfXOAmZG5rsZcc4",
        "mB$r\"/",
        "FRChp",
        "Ba?%\\",
        "VvJ30y",
        "!?VnS",
        "set_SelectedItem",
        "ntO4AhGUpFdVT7ydUNC",
        "image_0",
        "eV/}n",
        "U9kqLUaOII",
        "ygALQpzIx4iKsXMvHNr",
        "TgduJAGYJtMkuPwosUuo",
        "\"U#\\#m#",
        "wxwmgU9GGTbTNU7JQUG",
        "V!!u:V\\5vZ",
        "Q0DFTO",
        "x3tf9ezgXDEXwLxBdH2",
        "cNncwOZuWfUgBjYXA1",
        "ThPoJY84pjH7ycvp1XB",
        "r7K8rlmNjwVrwu2wfGf",
        "SeVuh6hGkeQDQ5uEv3C",
        "z{8Kl",
        "%_y5xo",
        "ukBraWy2IgGN65JLKXu",
        "+_HTZDL",
        "cABJf36dY2",
        "[KM|-",
        "+zzkq",
        "W|wJ;~d",
        "Oktjw0wMOA",
        "sSpY7B1QM7",
        "ISOnpT7m2u",
        "EekNmSRD1PMA9bN27X",
        "SUZeaw36Fp",
        "ujQp4jG4tHArKKUATOvV",
        " x&3H",
        "FileStream",
        "set_AcceptSocket",
        "4,aM.",
        "qwd2o5GGESUub5WQdxAD",
        "fwNePtGKab23xqLoMY3Y",
        "qmLa0yBj7SejYokxcee",
        "JLGkSsuK6swoGDw7Zjx",
        "GDelegate21",
        "RvBQkUgKyH",
        "        <requestedExecutionLevel  level=\"requireAdministrator\" uiAccess=\"false\" />",
        "*lyX['",
        "1@w9o",
        "set_Filter",
        "L}):%H",
        "get_ControlDarkDark",
        "wkOhRmaVTULaSoWXUfA",
        "0*MBK",
        "kVMfXUQ3ahtxWyP2iP8",
        "wmdy4706cQmPOFejryu",
        "ip0xHhGhD3EwAiVo23g6",
        "xhbD1bH2C4",
        "m3dLBaVRPjF4nBSKL9F",
        "B1ZdldrOvkkB1dmSWmt",
        "set_ActiveLinkColor",
        "Y$*+LX ",
        "GetObject",
        "9Rccn",
        "isSx1PG45sRZyHjkHNPQ",
        "&:'X'",
        "c7cjRCGfYUIsqGvFqZ5e",
        "kKwtr3OR6micL7B88Xn",
        "iOBd>",
        "Y3#B=2",
        "set_MaximizeBox",
        "rpxRuiG8x2PQ1Y5a6bPB",
        "m0E60HYnIX",
        "fqVk}E",
        "S3edJWOlMd",
        "Ov2A6Bold9",
        "DeflateStream",
        "Pp5oBFTqPQHyYDvA6FR",
        "ToChar",
        "plCFo9eQVcKC278Hr5o",
        "[^QWZ",
        "NewGuid",
        "VlIOYk4G1E",
        "VRrfx>~",
        "eTI1E1x6vS",
        "arACTTGIYgXj4BBAeJwt",
        "DjJGIcGYAkUx1ZdScsnP",
        "Default",
        "Lh6yzuOasu",
        "      </requestedPrivileges>",
        "NeuUZMmMyVNxaHbObZR",
        "~4}`_u",
        "QE3qGT5MYSeTDbjWLKf",
        "_Lambda$__71",
        "xuN6dspLAu",
        "ObjectDisposedException",
        "O8YMSvi6JEDZmj0pltQ",
        "background",
        "token",
        "ydXDMqDJ7IaltXCPo2S",
        "W@yK_",
        "NtJ5bnO4IM",
        "LoadFile",
        "kVdDhF16uNUnFlMfbFg",
        "ycauHtGMBftp9rx79vGQ",
        ">/9 t",
        "xEp2HbGYP9oosHAC6SJ5",
        "ToolTip1",
        "pUbb9VNdtJ9p2LamJtq",
        "S0#5RQ",
        "5g<c~)I,7",
        "ooSU9vqnLkRN93veVFX",
        "pl1q2hqlH5cO99GcV51",
        "FVAlxRGGCYka8IqGS2yn",
        "zLWCnA9EdfUMo7G9gM",
        "j|y+D",
        "XhbR1YWLJp",
        "vLqh`[",
        "get_SelectedIndex",
        "\\,UBpr",
        "WvU7rFGE1UDMRjtrCus8",
        "label_1",
        "qX7gCLaHh9xeLQDLHbr",
        "E5MU62TBFqDp8GLDxnH",
        "o7vrW6ffIk",
        "DAxekOzOM8NxCq7iTWr",
        "paLU1xOTHyUda1KmCkb",
        "Decimal",
        "Microsoft.VisualBasic.Devices",
        "VAvSu1ERiEeu9I0bX8R",
        "HU4tLlY8Bin6fqVZnJm",
        "{I=oC)L",
        "LceoeVsGls",
        "float_0",
        "WyZ54o7bTs",
        "gBNQpy8KxV1ihGa12UY",
        "System.Security.Cryptography.X509Certificates",
        "M52BivFq4K",
        "ip6JmXI9Jf",
        "vDQBca7Xx9",
        "}@C^&/",
        "JvtkOoZSSnkC33rdlYa",
        "BLCOo3GVqvcl6OwBBmLV",
        "JfsNt6VoSa",
        "RL9qtDBZnB",
        "SeSHj6GPat49IjkZU2Of",
        "htl4y",
        "WHC5tr9yhW",
        "aa5RD5nWVD",
        "GetFunctionPointerForDelegate",
        "p'/\"Xy",
        "KN75nxUVfW",
        "K9wqwYmFo3",
        "HucqIpoehYGKeEUg6p7",
        "cu;Wr",
        "BiZN7e3uX2sAwCCd2ZV",
        "a22fYMgRPF",
        "LogViewerPage",
        "cgphGrFMxEdmTyH6r6V",
        "OYhCqBDmLq",
        "mm:M^",
        "wa1LYCooUL68EcR9Upd",
        "pogok7xpsq1OCh6u7OH",
        "mN0S]",
        "SmSxVwsBi8VLDUSXMgu",
        "w;`S{3",
        "\\iwgj",
        "Label5",
        "aGFkINlIYUThwdZZCmo",
        "    <application>",
        "BitCount",
        "WNKvvT8p9g",
        "yfh27RtveEHJGTbL5T",
        "@rfeG",
        "G0EZp6zGXLTTbMeLO6x",
        "K;uS>/ ",
        "method_27",
        "jneLNBQTNsCor76HxXg",
        "YjmmW9JFCmqgxOffjml",
        "MrlsV30fDRM9qZdpIW7",
        "\"W~8e",
        "GwFA4Tq",
        "Fkx79FGNtW2A1r8wN0vI",
        "IButtonControl",
        "Q8rQhmGb2oPh8wGxYKqP",
        "KsPlp",
        "PYM9k3oxqXDbTp9cVwa",
        "NanoCore.ServerPlugin",
        "s;,i]k",
        "rTxU3",
        ",^-m`",
        "W3rXkmGr8ssCOYPtwHZA",
        "method_6",
        "WYrBx0x5icjb5b4Js0",
        "GetUnderlyingType",
        "k0T9LfGZjivfgkOn5w9G",
        "JQ1RL2Zxj3JNfL7XJvB",
        "k0iJPnH6QS",
        "s9dhvhRmo6",
        "Vm4\"1",
        "BXxEPsLH6CyT4KYweP2",
        "u4QHj}{zK",
        "lv9OEfXt0D",
        "FjvAlXVIOV",
        "NR*3F",
        "QPb5BkT4Uj",
        "LegalCopyright",
        "TrrpmpGM9bBX8fRvRei3",
        "U7MT^",
        "csteASGwAZmUTLK934oI",
        "eP5aUfGn4SADQQKsZBOq",
        "ToInteger",
        "WindowsFormsApplicationBase",
        "cFQp7",
        "CompilerGeneratedAttribute",
        "ObjectHandle",
        "Vgx5ZtFf4h",
        "EndUpdateResource",
        "xX5LICGxIGjbkyHD5Cvg",
        "Ya}+b",
        "Me2gNWIcoVdKDelDVsv",
        "EVEz+}[^",
        ",k)GG",
        "e86J1330t0",
        "MbXlS3uZAh9pkPVHkFS",
        "get_RowStyles",
        "g1J8aVzXqQurxx8xLhE",
        "l11muKYMr9CsWbOTsGT",
        "p38NDUO71O",
        "r-Mdy",
        "_J.8ha",
        "X79oMrjv8d",
        "rpY7u2u7wYyw7MaBDgp",
        "LingerOption",
        "c8loz3oxmD",
        "hVQYYkGwjQOKbhgeWmLN",
        "fuvX8RYr7lZ0dulLyGZ",
        "D2fHDioKdhAHs03qFMF",
        "TTW_B[",
        "BDDtW6cCZqR0e2NPokD",
        "qnldwIg0BT",
        "otns\"",
        "Hy3Dd4TsO9793ayig5P",
        "7P\\8n",
        "lyIlyaxS7yTLNbsKuc3",
        " $T^-",
        "#Strings",
        "BeginUpdate",
        "vw\\F9",
        "cz3{4",
        "qdXW>&",
        "AX9y78evnj",
        "linkLabel_1",
        "cGDf1RM8CbOsQAi1qOX",
        "GDelegate22",
        "Wwwqi3PYU8WPWkJZB5",
        "!\"7q\\",
        "an4BXcTglU",
        "InvalidateTabIcons",
        ".rsrc",
        "Q7ENtKSZS",
        "xTUoismw43",
        "mrDSUYGwK4WkWHs7ZClc",
        "CZRDOBgigh",
        "$;OU9",
        "@,_'S",
        "NK0iYEpNPV",
        "rNwQ90iuBewNMq4vJBh",
        "ToBinary",
        "p<<J/",
        "get_Controls",
        "wd21A6qG9CJHxTlpxgT",
        "O2\"P!|!",
        "JgqVXiF28Ds7c8vP9yG",
        "ZK ,kp",
        "eMai36Lk5FrOjKsgCBC",
        "qEnQKUGwR6AGivki3O5f",
        "J2lTYoGANUNBq90cOaf8",
        "Y9ciEwo8OZyOYGVpPZm",
        "AwxntEMxLNKaXfYhsv0",
        "o#Ux8{",
        "method_16",
        "SSo811NvbRowMWlqtfq",
        "get_Hash",
        "smpiXm1uqpiurgdH2Wt",
        "B310C4daH8Spt1DX2eb",
        "param",
        "X6lQVJyfc8wiVdftV10",
        "GkivNcjcu36cNjK4iwm",
        "f>5iD",
        "DlZkNIpjfsvgWGPh7GC",
        "gdelegate21_1",
        "sCKHUutcOhG65sYMQoh",
        "wdTi9c0nSd",
        "rbXivdXMNX",
        "aKwyqg0xc4YXiSKLkwI",
        "mMW16yMwU4rUVyvDciO",
        "$CM|\"9'",
        ".ox*=",
        "p7 _QW0p!2!GO",
        "TabState",
        "a77jfAnw0vvUr7LL6JI",
        "dTwSQ0K3GdFESjr3w1F",
        "NotificationAction",
        "ghehy3D0mq2fCSdXbEJ",
        "Fqybo5di9LbkkE1hAQW",
        "wi6Zk0GLfPF8LeKgFEw2",
        "UInt32",
        "IuchRNYsAr",
        "LNvgKDGkwFpCiStjpYjC",
        "ZjJ4<",
        "get_CloseReason",
        "set_SplitterDistance",
        "kO9sAT4npqArqxBXH55",
        "Y6oYxNrf2I",
        "(51dk",
        "BwS6P0oc8j",
        "lwapkgGnSyg0fX04mIAO",
        "IU96HFSTMh",
        "kvp42FXwwoF2OrsEGDX",
        "Pp3JoqGx7SIQwfItdkEV",
        "System.Xml",
        "^ zsw",
        "COaxIYGyw03BbtiHHa0g",
        "T6KfrYa3kt",
        "mouseEventArgs_0",
        "LviltSGIC4BeBAdTHq5M",
        " Kq-:",
        "get_Tag",
        ";G')V",
        "VHVDXCm9JhTcqfvChUI",
        "dUiYILZl4a",
        "M><%A(",
        "_Lambda$__36",
        "eb;V5",
        "Ns!Jm",
        "e<W~&:W",
        "IQKQtv1gbPuDDFXwi5T",
        "A3xKPkGnOiPVRE5pVK4v",
        "wFqBR6oaEt",
        "get_BaseAddress",
        "ghcYvkGgDlQhQxUiQnZc",
        "506c;",
        "q1ZcgJepRKw9HrJt1oD",
        "E2p68ZMmLbyivrwJtB2",
        "!sL}}o",
        "aPMv3r7WFVjnBhewIb8",
        "ShutdownMode",
        "uiPjf",
        "J2SoAVzvvRXEb5ApYTo",
        "GetCustomAttributes",
        "IntPtr",
        "XxtQzYV7Qb",
        "*5P+.",
        "sPLYxBagNRgsJZOxDtW",
        "_t9Th,",
        "fXF@S",
        "jws0tZRJV7fckRtl7Mt",
        "kdscvunSIDUCPet6bhp",
        "mj}+^",
        "tCo9ZxGVAHjyQJj1VTnd",
        "Twek4",
        "MrGrennS7R",
        "PerformLayout",
        "mF1j2eIRAEhrp5GXxiP",
        "H2?)%f`",
        "chEHRl7SDsgOYjh29cg",
        "R7POaybg9HLfaiVRKBV",
        "CuTZgEStQ7rGBYRX1KV",
        "OR56aEjgr1",
        "dr9lflgHkVs3cMQNlDq",
        "OWQ3LwGmxq1yqZEL5Im",
        "x0BnGfGbMkgg1kriauKl",
        "o1enHOGRn63yDLnoFcHl",
        "Q6Z3leG3yaBmJpE0ty98",
        "e6hnKdGbvupQVKqReBa8",
        "6#*jkwt",
        "Y9vXwl2ImXBoNFF76TS",
        "@fyN@Hxg",
        "BnRK6EGNdKFfopn9pmDu",
        "remove_KeyDown",
        "PQPJJEv5m52N2MrcYYi",
        "Y4yVMkMBiCo6ev5RGaX",
        "k0fAFtGrTMJAS2XuVSLQ",
        "SydP0",
        "wB0kFHua3dh5KTZe5xu",
        "Q6YiMEiqAQ",
        "IyODCFGh0jEpoadFPEYM",
        "gDWNwCGVKW4SheCWcVBw",
        "Lbkca8GLaeP0h4xZMYlK",
        "FQbhxUW90TZHE9kTd9C",
        "DoVkKCG4QEvL2X3F63KV",
        "9AaiN",
        "OQyf3ENDiZiVXFonGVO",
        "nNEpH<",
        "gynBZfWGoV",
        "DjwVF9GR2ZRrPKpy75Ge",
        "%\\:4|",
        "nT9b3RGEJ12mH4OUWcJ0",
        "Pxqo63ZjEy",
        "B2whYwGcqxRRIqYBZfP",
        "?_%_^",
        "hR9YIwYvtN0s1v10kJl",
        "& ;8/",
        "noofcAGodgvXwgfycEV",
        "hP0OqdGItJHFE0HuXeqt",
        "L8tCFQGn2RNLm6vJO3jp",
        "gHok34wLhpENhXwe3rW",
        "w?4JU",
        "method_13",
        "JnZBRZGVuH9yis0wRVyL",
        "m5eiwvxMaMcMRapPITG",
        ";sm-D",
        "fplrs2nP29",
        "C6Jsm7XnOxuEkCKACZE",
        "WFT5IA6FO4",
        "NIZnkAEFVRt1Mfre7GS",
        "eEeILEPmGpM6vscbMns",
        "GFb7L",
        "_Lambda$__21",
        "Wi0c1Q4sQ00Z5Uw3YFD",
        "HwfbjtvvML5dRTtiqHH",
        "OZAuQIsNGwHqgurUFfI",
        "Rectangle",
        "fg3Onmg8pJ",
        "RtYbA0cSZ12TnALpCW",
        "V3AYGOQR9W1eAPtCtIi",
        "System.IO",
        "xID1GSTtleTQHSmm2YW",
        "';EkBT",
        "THW19^|6('Q.",
        "VAJ8m",
        "Upc7omGZ84R21qu8llyd",
        "    </application>",
        "le3cBWGINKavADP7sLhb",
        "aEd37jHCGfxtIFvSSL",
        "Ga1a5FBZwCnHnSbhI4F",
        "CQ1[E",
        "_cgJ/",
        "LbgQE0x1ES",
        "6g`&P",
        "s8FSJVlKbX",
        "DAQKG0RfiMKGyWrMfBE",
        "NOuCquJ7CWZNDoSSqbT",
        "kDQ:1",
        "p2e28HHAZs2SqL5W5sf",
        "y02CSmGKKUnSAaK9xcxR",
        "CafHyw",
        "YLlejulGlJ8vs863evH",
        "$$method0x6000020-1",
        "diW9UJGKrRaBgcQVq6HH",
        "jWIxtLqsR4mDHc1Q0AE",
        "vKqxytz2ClOEKUta8wd",
        "16Rn]",
        "Na28yOFhiaecCULul9t",
        "6<<f_F",
        "y2vLyEOXtoZnfYnPEQZ",
        "orientation_1",
        "|:+8$u",
        "!(hW]",
        "v.Zu8E)",
        "ListControl",
        "BhMl9gjs5yEcAQTvx2G",
        "a6HdlHZdgj",
        "RCHZxpAoTH4xDoSa0nN",
        "ax8fSPBpyedBTLINVXI",
        "-U4\\9qs",
        "IxpRnv1rgZUEFoRnpjS",
        "TimeRemaining",
        "scAdoZXFInoJGZ4ih0B",
        "QnXyk4sksi",
        "wPVl4BifecjkakZ4Tx5",
        "q*cAU",
        "AssemblyCompanyAttribute",
        "jxKJ8aGfvi3dduVm0Ltj",
        "w1\\cd*",
        "fTw4ttH25GkX8c2V7qp",
        "XmlDocument",
        "fuJK1Ebz8LB97yL7vq4",
        "GDelegate12",
        "fMQ6dwGlSXbYrCBLKu7n",
        "Sd71NBScKQNydwYKoiO",
        "w5GLlRG3OkGWhrdHRIuI",
        "CNpmbOyNhyAECuJbjnx",
        "W2oAQrHpib",
        "A0NTSfqbj9",
        "{11111-22222-40001-00001}",
        "qv1bSoEpNGlsOKGA6yv",
        "LIrQOrXfo20RtRE9CFC",
        "IIfeEOhPoLZE45XSBZ",
        "LinkLabel",
        "ncrNnm35bS",
        "ohioqIHwpA",
        "q4Tv'J",
        "dChVoOGE8AaFCS82vmbA",
        "eKJ1YjGXRjSm4ZW1C3DC",
        "IzbLfVL",
        "cKuADrG8XPk6yikOcTjk",
        "AgaRj",
        "TCaJnhtPDs",
        "jBWRAAsmhKJK62gN0XW",
        "jt103yGh9ZN9OreWF8nG",
        "JAvUQ6GZCdQUIxMeNcNN",
        "dnnP60GPnsKjkP2rqDZt",
        "cPbnhjGZYuZR5IKmXijw",
        "=!60a",
        "eln!Y",
        "U&].gT",
        "axVgooufcTCqlmJOyAw",
        "OsLja4GZAlCdA3TRmL0w",
        "*wE2T",
        "s3qaYUQekaGROdNNDF7",
        "lgq6QpGKhGQeEO5eZNBb",
        "wTrw\\o",
        "Mc30nRLeVOB1K15PIyq",
        "/**:Q0f",
        "checkBox_5",
        "IQ?2U",
        "obZFW6GPiZTevK4V2hQb",
        "J6ibYOjkEZ6N5BwFb8k",
        "pZHaI$",
        "ScrollToBottom",
        "qrBUob4TwTaOPu7DO91",
        "PluginCommand",
        "_Lambda$__66",
        "9^=%Z",
        "=\\-i{",
        "get_Enabled",
        "heW\\]",
        "itHrk7vbcb",
        ")~_qw",
        "Qw4joracpe",
        "l1WK7f7jbrWl6cA1gXS",
        "BO_O1qbz}s",
        "J*MkV",
        "ServerMainForm",
        "XuioR",
        "DEVANnTVwO",
        "Mn5wqKeS6n2rBRM9wov",
        "gsXNk5bTfx",
        "Queue`1",
        "DmshGAGlA9eAYDQl2y8R",
        "ss19gnwbOO6eKZ2Kc5a",
        "d1HiUbyybRIWCrLaDDL",
        "Rj9sDpfl6sr7RW02LyF",
        "gdyRqaoZabPohW3GGNN",
        "RLLNWdFrLRZb46DALfP",
        "j13ABAGMuhRmEh2WnAxH",
        "EwMiBh5aii",
        "Z`-#m",
        "dF{-a",
        "add_ValueChanged",
        "DF'B!",
        "GraphicsPath",
        "x3Jrrg7Nsxgaj3XbNUD",
        "Wh8YqA3OcduitsfPiCR",
        "CtlhdhQ3kt",
        "KQ`qq",
        "q3hwGvcSqgpXfelOZM0",
        "BOkVUgJgh3CFB1YSoQp",
        "IW.sE",
        "remove_ItemSelectionChanged",
        "xFV0eurN99TMIkImmC",
        "eFANb5YBB9",
        "kJ5N4T72Zh",
        "e0P3VaeUilQpvK8MAiA",
        "DhQeXWEF0K",
        "Uz Pe",
        "h)|E9",
        "0>6>1Qj",
        "Ud;6,",
        "hJhiDDVp5",
        "Cr7pB95zcwbiW4jGQJT",
        "p9\\<#",
        "RLyGS5vZrCGOq82xe7e",
        "M[Y}(",
        "\\mP Ms",
        "E7EPcmqbiGYfS5DexXk",
        "H9e4a1GyQDuO9Kt7Gct1",
        "O}*z+Q5",
        "XswvmhhXWE",
        "fVR^is",
        "pDpyd5kgF1EUWDJHaGC",
        "RXbQu",
        "JCimO2rfu7WnMLLUKj0",
        "HZYZ3OGniIOIf07xA9TH",
        "lO{G?",
        "sCx02xD3sWZkhEl0lrt",
        "hVcvKMG86vrZZf4Ct8uK",
        "Aqg1xLZ4C7",
        "eq54~",
        "qEEruFSdl1",
        "h&n&#",
        "G_;qXl",
        "N1U6TT9uEe",
        "N-7C5",
        "FenqntglDG",
        "oifBwhGXFr",
        "dtJh538pAv",
        "x=h[#",
        "QPsEEmu62YDmYeDvjiS",
        "p1sSBfJXIN",
        "X509Chain",
        "DA3PNfmp68wkrtlesQU",
        "DebuggerNonUserCodeAttribute",
        "Dq2lmEwAaq",
        "ValidateBlock",
        "kmcVQIc2ISkWO7a0opl",
        "8%-;k",
        "ycJy9WD5719RgcRHrOx",
        "e25HHdGVYwRqaD17YaHu",
        "k|H3~9*",
        "GtfekYnKOBVZcO27TUB",
        "nRLsQiiqWi78KdqGvEn",
        "aMzg`K`",
        "yKaNXawXrSFXbcs32R8",
        "adTqV5Ri8H",
        "yA'/I",
        "set_Checked",
        "Yey03crxAP",
        "CreateDecryptor",
        "euKxpdfCu7x1SZ6cj66",
        "LPCNt8GRFZJ7DNhloy79",
        "IAu0wncNtc",
        "Rm1srKuB7SeUt1CppD2",
        "pjJIcZGAhgleR2t77mTE",
        "B-_7E,A",
        "lLh7mT3yNy5W4e5Zilo",
        "ReadDouble",
        "Y,|Z\\<",
        "3Z-;h",
        "UL6C3Drkrgl1BM8A3Ck",
        "JPEL4ntImdPoq0Oa2K0",
        "ke4GixJlfuSkyeHaxCY",
        "UpJXOHGYqH05pUtFr8yJ",
        "Y/8?T",
        "N*G4_",
        "get_NewLine",
        "aHnLxhGI93rX8sW4iWdB",
        "9H-XG",
        ";)*Y\\",
        "cpRNmN1ZGIf4Iwg4k4I",
        "4lX~0",
        "^l( g",
        "yOBWXrGBoOdlD7ZIwU6",
        "get_InvokeRequired",
        "vnrke",
        "1Yx~.F ",
        "AssemblyFileVersionAttribute",
        "UVKjR8eh6k",
        "oraivFGhbdbn0p3I2u3j",
        "GetBlockHash",
        "nA/`i",
        "c9abEAGfEeSAhBylCHqZ",
        "Li2JPvmZpo8jWeS1fug",
        "EV1LwUaziY8awahJUUk",
        "GCgV8MGRjwugUkAFVg8Z",
        "Emt2-k",
        "m1cM0BSDlDHoYAxh0k7",
        "zIR6KPy6Qr9AQytSqv6",
        "Ctf1kmj3OXhykQGGBtD",
        "tkpRsx01TJ",
        "X4NBBEOkWGsFaW1tmIk",
        "JfxUPoOUKaG8l7JEslC",
        ",4S}Fo",
        "Focus",
        "IBuildEventArgs",
        "fJxcjKGmSCV5nHNKc2Z4",
        "iJsAVDGefyuDEtaLeaLh",
        "CQVglCkGsYti86fQCsk",
        "WdZrMxf4N2JwZ86sCBB",
        "PoXwndo3ep",
        "b,iX4",
        "vMEdH0QuRj",
        "]vcP.x{",
        "iNuUBMiM9j5TMFbIuIE",
        "d0RYgQWQ6N",
        "\\n<-VM",
        "EnableToolStripMenuItem",
        "NsJ'1",
        "dPANP7GK8r8DOOMZACam",
        "X/ong",
        "aCb2jBG8JPZnm7moZ2V9",
        "R4VssEnWufgauY7WITI",
        "OiN5RCT4EUnR1FQHIKE",
        "E2jyNcMkJB",
        "sq9cILGIQ1uXx8xUMHQF",
        "EAbr@",
        "uEkDihn6DEBZocSf2j5",
        "get_Modules",
        "zUyqCuGEZtYLednNPkTQ",
        "E34vgZN3n9",
        ">i^;'",
        "x6dC6kI9LISYluiClji",
        "AppendLine",
        "RemoteCertificateValidationCallback",
        "QC4S4lWpdDCyd7sMe0H",
        "fsZnCETKK7",
        "pFMUeBGY4WQc5Q0A8tKN",
        "zeVrUtF3SreQmHknddN",
        "4[|Fw",
        "t2cGreVmtBfpHKxZuqV",
        "obUfhKPRRju8hOSQUU1",
        "tQX.x",
        "I5vlv3JgeNdBM5mhlJ",
        "e07CSEd7le",
        "WoOgayGmmP2Zp87dJV34",
        "&L2o~",
        "wRn6Aw6VkD",
        "vLLpGZf0yXA3i1ohhYY",
        "hpOybwqNnAAxX94TVcu",
        "MXeroQ5kdRsfK8mESQf",
        "MessageBox",
        "2Ru\"8u5",
        "System.Drawing",
        "ytHReokCTbIxiDWbOUr",
        "auFldpEg9cEvqMD0JU",
        "fEAcNaGGADcgSVuaIbrx",
        "ContextGetCheckStateDelegate",
        "method_40",
        "T2dcucZBVjQ49JHq82S",
        "BXFfdgpdkh",
        "TfE1FeN2eR38c7qEO0x",
        "WTfwd8KEED",
        "dHfgTixcBstqABttNQu",
        "JtpRHcNUniTVau4tth",
        "l2eh8xPwV",
        "nsqwXn3LIc",
        "AUXdk6xwbe",
        "hwv|\"",
        "OoPDKiGPC9QLT1lT7igD",
        "StringComparison",
        "EOY3etIZvnHlHZCdDBo",
        "iserverUI_0",
        "npUwH1AVMJO6vvQoRfm",
        "jHlBAQGRQGCDey7hvnEc",
        "BUOJYhGgFKMjtMJRQ9PU",
        "IX3RBcUiyc",
        "S1xJTAGGQd8CYduqO8c5",
        "BxPTCHGrUCd8KbkEErQC",
        "gWbkUhEHiXGhgSMnHV",
        "lC7Ons6qIaYm71hq5pg",
        "'<BxU",
        ":55M^",
        "C94ESrGbAaV4K3STQoii",
        "PifgaEGVUW0jAUeXsnYT",
        "+t3z/",
        "kIKxGjGxMp4JPqqoaRHL",
        "Pip78xGyGl1FdGKbaGpL",
        "V9ejWPEycI",
        "add_HandleCreated",
        "`g}Gu:",
        "gclass12_1",
        "TPIGMVRTlEJQ5rwoJDE",
        "7q5XB",
        "IYLU2qKNWI4cXAivJgr",
        "UC9w0XBGrq",
        "yQ3Sp5vxgLaQrXSHtHV",
        "MOyD[",
        "KrwiQYqZdw",
        "1h^V:",
        "Yp1uqRGIbO948ibR94m2",
        "gwV1TFQDNU",
        ",PPDaR:D",
        "GClass3",
        "L0MdwwGRBB9T46R6uR7d",
        "&QF5lT~",
        "<ji9u",
        "iHXBtGDD`",
        "u)3q(>4",
        "tGEoMUxDfKKjgnMWX3m",
        "lFhMS9GKSK4exN7SZZ8c",
        "j^3C[",
        "hBYEy9GLNjpY4loIeWkY",
        "d}WGy",
        "SYUJGdGbE5CnFdvl3EQb",
        "Ceiling",
        "W0mh6fuqIsMKjYKOjDp",
        "cyDVBXvdCESgxX79bVU",
        "YHDouTPxeiNdIsu1kRG",
        "OnCreateMainForm",
        "+|&^W",
        "FileTransferRemoved",
        "vwOVXGgfhJDjoc827P1",
        "mfSV1UTYXvQOPKctiIZ",
        "H6fBJ4N6PROeEaZE4hl",
        "vx908YGn0od9uncF3ukx",
        "ptaierDo4H",
        "Bi4ey2qp3X",
        "method_46",
        "]j};BLi\"",
        "P9*kw",
        "CsW3b7Gy66H09A7dsJmK",
        "zFS2e",
        "b,i:|o]|",
        "f8HlYktEE9",
        "fq=)3 ",
        "get_Images",
        "QlxfG6GYge1UAcHh4Hhq",
        "rBsYk2G3fZOOYwNf9sQX",
        "fX.1G",
        "Q3XnHyWp6A",
        "][!dz",
        "aZbERRG4CSClpcwgdhv",
        "VcxBnye78Mu4BagcWLw",
        "EUEpqeXzBYrc3soGPA5",
        "guid_0",
        "VqK8FYiK63YkS4fQlHR",
        "Mu%pk",
        "OrvCdx",
        "sNVA2anygoLjw271BCJ",
        "k3qo3l7R0txg3rxPmZC",
        "uQBA^",
        "LihL9IGVU2AmRXcwoBb",
        "cRdrAQ4sYG",
        "UwRorlGwZL6uaZNgjtqX",
        "hiBraTZls2",
        "coi1nPgvvn",
        "aK3O8BwPy0VyALG5Ncm",
        "ebW_J",
        "float_3",
        "i99ScIlrtxO0IiQI9uc",
        "GKeAe",
        "tPHIV8ihXCU6SpwFGPF",
        "lZF3ThA2ECit61u7Gio",
        "duration",
        "jtXNrWN8hROCvpyCBk7",
        "@/2CT",
        "Bronze",
        "hCPTchVVYY",
        "LrnIKIGfieypGE9r8U39",
        "BdxkDlb0SHovmcZUPxL",
        "HZdBj6G4HOCh7Kk2QWcr",
        "hgujwlqVgndM0byfwMj",
        "{|MVq",
        "\\CQJq",
        "toolStripMenuItem_0",
        "yJmect",
        "QPMQP",
        "9[I*C",
        "WsF6BG5A44",
        "ui9dosXNoM",
        "set_StateChangedCallback",
        "txA65mB1kt",
        "SetWindowTheme",
        "QWtgSgGgyoJ9JVKvcXqd",
        "isVI02Gh1fuxwhAEa25N",
        "H1qd6EGrK5tLwcrlkbds",
        "JEginir4An",
        "[@ig:",
        "DeleteToolStripMenuItem",
        "iWYiWeGLF2Yv0ivMxesl",
        "*}^En3R",
        "]tpFT",
        "=WD`!",
        "rjggSVRrvelMVebQlN7",
        "set_StartPosition",
        "qnQNHumwVMAvwIqCgLa",
        "set_Name",
        "PointToClient",
        "Sd5BfbG8T18IKyUK3y8s",
        "?r9g$",
        "|wFnm=w",
        "?`$U@<",
        "FromFile",
        "get_Black",
        "aphC7nkV5M",
        "yjBta1GfGRpx5GEC91ck",
        "xR5I1CGwr5oC3b3SYQ7T",
        "1UV@M",
        "[fFAi>",
        "SaveFileDialog",
        "<;<X<b<i<v<",
        "OihHbr9lto7rHpm51BY",
        "IsPQSwb6OI",
        "5Ml@'",
        "cVOJuRGeVHtgX4RViF4S",
        "*=*S*d*q*",
        "i4KAz0Vt3X",
        "BMpHH3Lb0isXrQqMyLt",
        "OQk5lolBNyQXLy5nP99",
        "pXs\"u",
        "lX2n6x7BFJOC7k2jOIj",
        "set_AcceptButton",
        "bIx75",
        "nMUK3rGMdjhuGE2AIxdE",
        "set_AllowDrop",
        "ncmuMCRI8TFjQ9IjxLl",
        "vNnj2GGCcagM2IIDQL5",
        "xTZFEKA4Hw87m3dSe3d",
        "ywyy4byPlZMTLqrZJ2C",
        "kE0T5xGdcy2q4dsGUm5",
        "eTdEtRKieKCxfFuGfUa",
        "VWtWAOGCq1bfWadq4MOE",
        "zHWfrxzpIgoDRWbSY0l",
        ">p&h,j",
        "method_31",
        "gxUWTlTxWkQQl4vLQD2",
        "lY2kCgnj6MdTD8b9Gyo",
        "j38YsCG625Rg30nrHxR",
        "Li5PnZkFDbo2aKbHwL1",
        "WcFYGBlzx5EhnHUUudZ",
        "qs1jHJYqV9",
        "tv3Uy9bnv6CiqCdCwUt",
        "KxPxoLGw64mEXasMaYEe",
        "BBJU6HcdtUdHcrRoSFt",
        "njqyRU66Z",
        "Pv8AHHwyBm",
        "gK@EN",
        "xKHO2FGMUHgTN623oJGY",
        "j!&`z",
        "jrkRM",
        "#b2Jq",
        "du5hw8MvKH",
        "VVkqPTGZPkSyetX9Hb0P",
        "~^IV,",
        "C9uQlrEeoOkcH60gHLb",
        "e5gxExIE22kWeE7mV2T",
        "n5hJVJ4LM7tBrwL2XlF",
        "ExecuteReader",
        "axSGexnnGNksGi5EQPH",
        "4r:d<",
        "iPGMYpTvJQ7DQ2eTTwZ",
        "_Lambda$__51",
        "gYiZSNprJYbjGGHUNkJ",
        "fLrobT7YrD",
        "PBJWXvEdmksTFtHC7yO",
        "qK6wqaGK4VNfXnDM1XLM",
        "zr0POLSWTw4GkaibYRo",
        "ReadLine",
        "_Lambda$__83",
        "SQp0Iv6T34QbOBNx6hU",
        "t:A(%Q",
        "oBu8cKGN6pCUSCimPquH",
        "U97tIWrPVHDb0FvdHKh",
        "fgIFIiDqRehcHM6jGue",
        "set_Locked",
        "ecXWP2llIMHULFr1kw4",
        "RxSPxZTHPerJ5WquYbR",
        "tgcqxpXOXC",
        "|zqTb",
        "!Poc,",
        "w8LV5LGwOJ88xX5dRnHC",
        "StreamWriter",
        "IWLwesSOyT",
        "I4hGFWs8mfswtf9fAiW",
        "jf4qYsSmu3",
        ">?]+*",
        "_IgqElc,",
        "aAsfRFtd33",
        "A46HqUGXx49ZaFonnp81",
        "ueJRS7YYh8qBEpq2Je0",
        "qnQV43G8O9TY6UnCgiib",
        "OyPdtxGAnR5AjMAaDDth",
        "IGACap5o96iNI9uQpfp",
        "uhjCV5qYSyxpIxIaFNq",
        "kjXTivoBeh",
        "AWg/`S",
        "PIFwbWGGpTWIs4hm0KJl",
        "hEuY4JcTZlRDE9vq6Qj",
        "P ]fYsJ",
        "%2d,UC6",
        "K8Vhys2Ftx",
        "KQloEKve2o95FenAUBp",
        "3Sp?m",
        "nypXGQ7z0CiWRJB6D9g",
        "J6k8xixh3fiE6YHLyQx",
        "\"&PvU",
        "AssemblyDescriptionAttribute",
        "NextResult",
        "remove_Selected",
        "rKJk4GM4C9GGSIJWW2t",
        "BPtRLpGyzpkCGuxjAosn",
        "ListViewEx1",
        "h^UG\"",
        "Bn*(l",
        "CdQgjuQjr4XPEepDP8D",
        "c2oAXcOLtD",
        "*>NW@",
        "_NPWH",
        "G3xTOo0AiqnMLI86tw3",
        "G2ZiwdGlyYmtYX7Y3vCU",
        "HoAEs9Zvh",
        "dfvnvKmLYgd6GMVYn4o",
        "N';Xe",
        "P5fSHT0JYXLgmspkEiB",
        "uFhjPoAenGB20fWv7Xt",
        "get_DropDown",
        "VgrIHuGenMEG4UsUBFDa",
        "Getr5D",
        "<A>Bk!l,",
        "iw7nhG7rmd",
        "aYgomtugdTHWLEgUaiL",
        "g8yCQyfkrIYs7t0A2HT",
        "GTOSsReFxSoMVq1WlcQ",
        "K)s4C",
        "VxRdx2wE2c",
        "aCqq4hGSMZ",
        "PX8xhvjq14",
        "KryP6GnDgsF82OL9Dqn",
        "D5thndIa03wpOLwMSAB",
        "IRuNIVaXGl",
        "add_ItemSelectionChanged",
        "kP7yaVKexNpf7mq04PM",
        "gaa7XH5SNPKF1BlhfBD",
        "Broadcast",
        "MnEhf9GA9F1iAPrOcFhv",
        "V9SBBxGGcEd2WZH3IqpG",
        "tUO6luYRbG",
        "~J{1'",
        "HOMSISfZ00iHTkbi1xA",
        "Location",
        "DG5d4VhBR7XkFFPkjlY",
        "Panel",
        "get_Attributes",
        "uXQinNtgkkCFtPur2bV",
        "Ynmr7OGP7r3sIPPXDhJ1",
        "Utngq",
        "dkc0NuXryY",
        "(SYMf",
        "Rl44iVhg4cpvI4rL4xi",
        "XpuVFAGCKDQW6DShJQav",
        "Ol5C4vZnxZGFJ3DwAu5",
        "xs5:*",
        "zss2agGlfcg3ECrTkj9r",
        "SoundPlayer",
        "J:xeGt",
        "SalThqltye",
        "!(\";u",
        "H4Y1W3x5CiMrVuB4yR2",
        "mRceNGE6AawrCmGdiTp",
        "VVF}/",
        "u6ZjFvG3IKqnfs9qmssU",
        "jJXrLUcnqx",
        "NIuS2xU6h7iOcchgN4d",
        "MyGroupCollectionAttribute",
        "xrAeDXRx7gTamqKdklm",
        "hYLn2RDirF73hyddVKU",
        "q3Zw2dbKtv",
        "vb3DNAGCAUD9VII184ek",
        "t:uGB",
        "GClass4",
        "CjAqPMWHvXHhdMXCr5C",
        "ParamArrayAttribute",
        "z/6/G",
        "zdoAtlQHhO",
        "remove_Deselected",
        "compress",
        "hOPo5OGrg5RsjkOyk9Jp",
        "        <requestedExecutionLevel  level=\"asInvoker\" uiAccess=\"false\" />",
        "Nh9aMB49qhfQhRo55SY",
        "otfVbefCyh8Ckp7P18",
        "zsu4MlEh3CZP2WPjsj4",
        "yA7On2FRGyBZwWQPkT9",
        "ToString",
        "aBUrgcGR4amoiSX0F0nE",
        "vJ0mWJGlTL5s1FSZDkUQ",
        "XxsgQQroLdFX5QUVURP",
        "set_TextRenderingHint",
        "oHLCXfsQQHmCR8EFn1d",
        "(oKI!",
        "AjyAUqQpRT",
        "PXmdHAiy7De0HI39OjE",
        "int_14",
        "&i8hu",
        "eL4QR33dLZ",
        "NgrRNUSTLpw2V2ex5Qv",
        "IQk6N",
        "jXtrigPQPe",
        "F v*8",
        "iconDirEntry_0",
        ":K?)9i",
        "0vV^9",
        "ao5XvDV3y6mqimSj7jQ",
        "MxPIUYKYbJJNaHdo1M4",
        "set_CheckState",
        "I0fA|",
        "T8VO4UJkdrb9YEncrLY",
        "SByte",
        "`8EE-",
        "crTktd0zkX582kx6Tdv",
        "t6bmGbEDwqv2Iua7YuO",
        "whoh63xN0A7kE7Vaum6",
        "GClass8",
        "eH4Oz0OZg1",
        "RlkBOu53OKyHN3lktLA",
        "D8Am7OGCcNjsU6Z6wMuX",
        "0w,:3",
        "5#eOZc",
        "pvd9^f",
        "REneEgTs3PCggaAIccu",
        "jo8CQAF9THrXB8qcBiW",
        "uCnEW7q7TvBLN4AxsAV",
        "QHnosT3RYU",
        "vlBehyG4my9kDYmuE3fi",
        "set_UseMachineKeyStore",
        "j\"u]\\",
        "IVnrqsCCgG",
        "l6bFNFgmJdqdqHtLq9E",
        "n3LU7",
        "rWNT2yGQv8t2a8VmWVa",
        "GDelegate17",
        "SlaSmfUZ1OIUDH5Pt86",
        "WkEqIZmxD8",
        "avZa2QUyHYng08kuKZu",
        "ClientStateChanged",
        "Vi6ZGmGh2MH2wfEAaIH7",
        "UXCJX4L015",
        "pbJKDs2yCEWK3ZEabIT",
        "get_Exception",
        "zVMrxPbsAf",
        "ifXeYJch9Y3jWifSW6C",
        "u1oBy13Ku2",
        "he5FxjIPyIsBin6dLMx",
        "aNfO54j5an",
        "Fp7hdo4hPFM59t3eSVS",
        "Y8UTU5GxTjcEs7nMEF3l",
        "Yp6L9QGNYtBWZVpOUPra",
        "SplitContainer3",
        "get_ProductVersion",
        "oqAO5",
        "p2HqBawTHB",
        "NFXjQnk3Dl",
        "m2Gwy8H0RV",
        "yB0dtLtIusjtZauQ0j",
        "ZI[{8(S",
        "h6AyXqGKyuYTqru7L91L",
        "amA4G3jYKGOVu1kWwG4",
        "Zj0=d",
        "i4cihuqYC9",
        "SetLength",
        "jIU6kwGnyDr96SWR3ZTA",
        "VtDb9FOIGR",
        "nETQnKrckl",
        "<nL_{",
        "x4*cfL",
        "`}<ig*7",
        "GjDlixPwuqRGoidCjx1",
        "AuvMFqGmRPLAZCd7wQ4y",
        "get_DropDownItems",
        "kDqOSbBaQx",
        "5)UA:",
        "jpcOsiG8hBTAsvFG8wX2",
        "Kx3lBjGhuKJ1mWgWfZPr",
        "qJUkbBZqXSEZjjCkQdL",
        "I%U=7~+u+",
        "HiCQwsrLMABCdEbiJtF",
        "),e]JVQ",
        "      <!-- A list of all Windows versions that this application is designed to work with. ",
        "lpPBsDEZH7",
        "POS!)-wE+F\"",
        "FRRoX3A46t",
        "N6eCGZjRtY",
        "deOSW",
        "_Lambda$__13",
        "SQLiteCommand",
        "MtG9bNGGMXvPbDyV0utK",
        "vQEBJ6pYNvyrLEMtg2",
        "tRTS8ksllhr4FGgIQph",
        "k}(pd",
        "System.Windows.Forms",
        "ListenerStateChanged",
        "gg1KUZgIynbbiJoT58n",
        "q1g@Iv",
        "9C{L@",
        "EDfAh2G8l6g0R4aYnTMN",
        "MouseButtons",
        "sJf1eHcqNwmoLC46k6d",
        "SJW287Bnho61BQQ1hxN",
        "qG8attAsui80lmwCAM",
        ">J+kh4u",
        "set_CookieContainer",
        "?${b5",
        "P8CW6nGrfEXyWaCLufT5",
        "MuOQTcGravXccXYjB615",
        "bDkN3r",
        "label_22",
        "add_LinkClicked",
        "IClientDataHost",
        "QOXMP3GxnUF0YmMCiExN",
        "Qmv',B;",
        "Single",
        "GNm6o9kFjp",
        "aApP6vZ7bnSimHI8PZa",
        "Gid5BTGLj4lcrGVsB3Tk",
        "get_Name",
        "RMZNeILiV8",
        "+]YQF",
        "ToolStripDropDownItem",
        "P7in2eNcMqE83vO39l",
        "rX5*#",
        "fvVBVIMQPi",
        "XfNdfCh2S9PnVLyYVqX",
        "Mc*KQ`",
        "Ko7j1BDuRB",
        "set_FullRowSelect",
        "a9glyHX1tgpNygRqhKK",
        "GetResourceString",
        "Dc^P_",
        "LRmuQbGAz8P8bZVQTjqc",
        "WDA3dwGEQkQX3kekcdXU",
        "kYFhjwGnok7XdaSJVErD",
        "Button1",
        ";o\"<ER",
        "B?C.N",
        "^Q!}?",
        "JC78x0JKYSacRmRwwQa",
        "lCcLmG74nlKiw53FJsI",
        "Double",
        "hDO0svMbFu",
        "GetCurrentProcess",
        "lN9brOfjOQTCide3oqb",
        "set_ShowRootLines",
        "1l-'U;A",
        "t4ktDBwynZqgNLcMWXN",
        "-p=eq!8",
        "FillPath",
        "lXDV0cSSNLS7lseFiiV",
        "label_2",
        ");hkF",
        "Nu4#O",
        "tYwkZ5NUoFVarAIF5KM",
        "jvjYeuGbP8IRJqeB51Du",
        "ar2xw8GXzvZ8OQv1dZo1",
        "XRBY?",
        "lX<%;v",
        "rDMqdBGNASLclR8yY9SM",
        "zo7Sy",
        "uqnV7gcDPmZtsbVVlw8",
        "GQjo1MEXc2nnE9CvtKs",
        "get_SelectedItem",
        "zmce4Mv6nN",
        "7[*M@",
        "kWUeuZbcOx",
        "TQj5TLKbgh",
        "fGxugfvL67YOwbnUVGo",
        "set_Left",
        "W{Gn ",
        "E9JP3IgJ9SoikpQDWK1",
        "JMXhnMbNYg",
        "lgJJEdD8CL",
        "FRPTZOpxASPSSO8i80j",
        "QQAliJseDjkqw9gV7Vy",
        "MenuItemSelected",
        "hVOawg6d8r2ZhwcPIwJ",
        "A^h@f",
        ")|L<bKc]",
        "Q;fA=k3",
        "set_WindowState",
        "hKAvtS3jF2",
        "mfy4FUGXXft8L5Qsq209",
        "fZHulS08mZIDQhmMm68",
        "j45UJMGe7fBTGNBLDIE3",
        "fPtNhldvu6",
        "$D332DB9E-B9B3-4125-8207-A14884F53216",
        "d3gvGryJHb",
        "RJUIE8G495QJVw2IvFFw",
        "s1rRz[",
        "eZm6ZJ98gM",
        "zxBoPqdcq3",
        "gfMo5jGIFQ0DAg55elOh",
        "mXhW4?&",
        "hM9RzB4PjR",
        "mxgQiuYisA",
        ":JA$']",
        "aprqUZGgOPjSBBN4Fgn6",
        "jh0JUUGlae6kfuAVuFIK",
        "SJXYk7xqHx",
        "gcontrol3_1",
        "-L{&k3",
        "FSRSOYxX3JgWdSs9H6D",
        "NirGD2Gre6BwGfMw5N7S",
        "FZb0lx8LVv",
        "U1114IGYtjLmaFX3O775",
        "I7g5QphSfaZG6VW0xvi",
        "k)}de>b_?=o",
        "tERUXMGRzZrMy5KPYvhC",
        "SvXvvpGfqXSbeyUQhpdy",
        "Iy8xAVALbkLUxljl5Cx",
        "YikdWrGP2CarxxKsFbpV",
        "torIQfGMvrQMNsGfNUey",
        "oYhJFEKxHssV6fjUKyl",
        "get_SelectedIndices",
        "VM6TTkaG4p",
        "IServerBuildHost",
        "CipatlgDBZ3neQRCucO",
        "unVyGeYglo",
        "aTni2jwoWr",
        "fdUh5SGl749uBkWwDeMs",
        "OMiwJ3",
        "W4mYl3MgC7",
        "-XXwz",
        "KeyEventArgs",
        "UwWu6",
        ",|RHU",
        "ColumnHeaderCollection",
        "CheckBox2",
        "xO5JUlbW6V",
        "RectangleF",
        "~W]S2",
        "aIW2ECK6sPQl3cw0RE6",
        "iHz+[",
        "VjGZnSRRyVlP4v2iOd",
        "Tg6yG4mGSNJ31ftvCa",
        "PnENKbPuXF3n5bF7o6n",
        "tmISrv2niQaH3XaErAd",
        "dHd6Txav2iZ0Tmll51",
        "nYho725M9M",
        "NDDsu1GZtlabGKrat1h",
        "v}OYt",
        "sIt14DQQWNIiI841Lry",
        "uS4tVFGMKZh5DPQX3OOv",
        "'pau]g",
        "zlcotGYnvK1HcZ7iUlQ",
        "F h(8",
        "U5p2VHGU7y3Yomp5Qtr",
        "dnKcdA",
        "+7j[<4*",
        "VKCTICjdpq",
        "g]Fl<",
        " T  Q",
        "OfHUSJwBwurFamKiR3v",
        "set_ScrollBars",
        ";}_@u",
        "TCyv4dGymuJOY2FvwJtO",
        "oPelfmtuxelmqLkfU6a",
        "suxZ4qGedImBP60ZAoT0",
        "IX5VZlK1qLLjN9UvF13",
        "t.FU+",
        "qyxK0UyxRitIacdPfk1",
        "@.6GsS",
        "YwOK7",
        "get_Chars",
        "NuXTxdAnuK",
        "I0Fs3gRgU2vwd6DA98e",
        "UO7TkL4R108vn03Qv44",
        ">_)v\"",
        "pJwRlqGZM3DnKHc3PHqs",
        "4B|Sw",
        "ucAoDoRWa5RI8chk3wY",
        "cow5GAFlvYFwGZ3X8Gw",
        "*E!lZ",
        "System.Data.SQLite",
        "dIneJGrtU6",
        "WFCPvmGm7WEcmV53Gvmh",
        "No4f8SwxghPEEZE55U8",
        "MenuBorder",
        "jFz86",
        "N8}{7",
        "nELOoLNiPo",
        "yJodsv6P7o",
        "lDsRfTctZpbsoZU5Fxp",
        "eVmXy",
        "OH98fXKh61hhxwxvf9V",
        "qJTxg0H7xbet2unTX8h",
        "lV3j62VSXp",
        "&ChS!",
        "ehWGb3TQmW8EPPbr5y4",
        "y4iggt2absOQJhhG7ap",
        "NcB6AFGwfr46rsWpbZBr",
        "SjX(M",
        "  <compatibility xmlns=\"urn:schemas-microsoft-com:compatibility.v1\">",
        "Empty",
        "%qAoZ",
        "IgxGZJfdx5VqXiWvmNY",
        "acgIEezK7OQcgRSrhkD",
        "sO3=k",
        "HGiNxB7ZBp",
        "jA@f)",
        "  </dependency>",
        "(WA^w",
        "GClass15",
        "GPeUxMz8YAdFy4FVRNN",
        "qhcRFnGh3mJrhsxnWpWg",
        "0T(E=",
        "EFQLx4v92BVXrRSZKhK",
        "Cpe57qQDFfo5l9TmoEa",
        "nZ9ZoO123RlwRsd5eKb",
        "\\6>r[",
        "PmqTsDsxXr",
        "&--QK",
        ")MlXN",
        "yAtWeT2VKwCFfoYCEC0",
        "GEnum0",
        "rqrIuYGPUFpEXvyl6yws",
        "paFM83G3a9TrpceCB48q",
        "TabPage3",
        "ueoBI",
        "&ScNqk",
        "qgqgvIevxHjMo4rfi90",
        "45fj9",
        "}~zP1^",
        "hPpoWBGbB37qIuhWDYFI",
        "zXiTEPX8hk",
        "Ww4WijMw6aBL45AUvs",
        "Am7VAAIjglITTs0Y4As",
        "Xk91Ls7AFvHWWaX6oyv",
        "9wwwh",
        "IxpNXaMhG5qpQEwEDum",
        "iserverBuild_0",
        "mKCW(",
        "LkmZOpGljSItpdYyOY3d",
        "8i;=}lyS",
        "FNKUlhXU17bVteWCXjb",
        "TkgySkfmOLsufHAo0LC",
        "LKiM27GAj2WYUyNZBdeZ",
        "{5&51",
        "VnIsorZvRIT1HxEPHQj",
        "rqcMJYHlRc9L35ShIrC",
        "BlWfwFTeZj",
        "nBIWuYd4b",
        "XJNvcedJ91",
        "FJcn9wGLow55A6oUM924",
        "fx<I0B]",
        "iOG6OE3Hu9iJscw2x2y",
        "aiLHAWztaT3F8O6Pv0E",
        "UmYV00Una744estySby",
        "H^(U;)",
        "RK2hxrAGk5",
        "AddContextEntry",
        "c6xSuQITaMBwuyYFpeK",
        "vjAQsKb1XSiox9NB7W7",
        "ISQLReader",
        "YKyQ4TcflhWCn9B5HFo",
        "ConnectionsWidget",
        "WKwPeTgOb45371tNeA1",
        "BW522x6UUqvS3Ex94OJ",
        "_Lambda$__89",
        "XbWON7Wu3H",
        "OnMouseEnter",
        "pj6dB2tC3Y",
        "2:kKO",
        "GClass5",
        "2@lX`",
        "#cBRC",
        "FlJJj2NeWS",
        "/2@P55",
        "AnimateWindow",
        "rgdYJ5gNMZ",
        "S@C>,",
        "aCheF0MUyoBK7mTlsDO",
        "nFJn2FXCuj",
        "zkvAobGeRW8Sb4f5QeBh",
        "SetupPhase",
        "EjCW4GG3nIISPYNJn5PV",
        ".n C}i[",
        "SaEN2b4UwR",
        "_Lambda$__19",
        "5~js}l",
        "gqDjIoy3y4S8VYLvjEb",
        "T3VxWo8ScWsFKxrNcXU",
        "PQoVYxvFcyhFMYTeGwM",
        "LWo75",
        "IContainer",
        "JS6emoxtlVMQSUKXx9l",
        "ServerInvokeDelegate",
        "Hdn78YGfDO7mM7baLuoj",
        "_Lambda$__45",
        "FI6NZrMp3K0Gy3dOuxH",
        "tabPage_6",
        "pS0JL5GhsyNV2d8G0PnP",
        "();B=",
        "NlBZ%",
        "xD8baMSjrrJYiIPr7u4",
        "SetClip",
        "ContextEntry",
        "PLTFAyVIkHRpd6lxdoI",
        "FjZaBMzTAumONNw0SvN",
        "Reverse",
        "vxn6R3GX12FdyBlPq3nM",
        "ygTVJEiL901mMYRn1h",
        "JQb2rmGbQerotOegN3lj",
        "Lf4hpyYU4fXpV96v1US",
        "p7|;v",
        "0c\\g/",
        "StartFileTransfer",
        "XGYyaJa9oLg6Av1jvOZ",
        "tPrxyE2Trv7T2tFgXoI",
        "VdCT3KHsPJ",
        "FCyi3aGeaDDLJcrfLoW7",
        "PWzY'|g",
        "set_Icon",
        "LT1sgKKbvTdPQOqV3yZ",
        "VjhDBWZGSdTevT421ep",
        "enZbDAYzUlGHgZHDHHW",
        "PybX8gKcQ0H74pmeAXQ",
        "DSACryptoServiceProvider",
        "l7HYSEGR0OQIjj3Lk4VL",
        "gvHyBnexqoE5F8w4N3S",
        "bool_8",
        "oUZT$",
        "X06h12TdK5",
        "s7QbiKYfn3jnNq5QLH2",
        "AJGrtFV4lC",
        "pJMp:D",
        "jcsi0Unbya",
        "uq10rY",
        "#_{mUM",
        "Neyw4mCN7u",
        "MX8BuJrEWI",
        "uhEHQaW7gZSCqNrhVyS",
        "J'*$P",
        "mJdFx5GA5hj0XU9WLvi2",
        "hkKI5lNrbNNxtQ2j09d",
        "LKAGwdYj8PFjTmvmum8",
        "U3yLwsGmDZXPcFSZHNqJ",
        "uuDhqvGl6v3RWiWOjG8y",
        "kZrUjLGN5yuhnhWWPyNO",
        "YjqSBHHLA1nuqCsy7tm",
        "THfSBczRRUkbSBhAZI",
        "omQnmtP4jI",
        "rfhB8E3hu8575wxrLda",
        "oiubKQGXqo1P58W7Ddp",
        "amN3fWBy5qlkueYZcu",
        "jUeYtsPrD3gw8rERlIc",
        "56\"v|",
        "ynIYwRaPDI",
        "BoBhmiyIfq",
        "e|yO ",
        "IServerUIHost",
        "Uk$*A",
        "set_ShowImageMargin",
        "BGBTphOLCe",
        "ShowToastNotification",
        "set_DisplayIndex",
        "aw2MdyyI0MeBB9hM3kN",
        "GyusI0EgCirKQ8JRKNF",
        "NiuN5yGZNJEr0jis6hJu",
        "TQrl6BMqXg",
        "KXoWilGMRZkXwXQ7Au8c",
        "cZQXq",
        "WQUPypT4snmvnOCqfca",
        "?kvIfxZ",
        "syAQHuWi5C",
        "h$eTfB",
        "+zcB}",
        "RKGBaqOpGx",
        "qWd3NMWwcdoYnPRxIc3",
        "TMTT98M0nTWFCIuUxtl",
        "7_n} ",
        "method_39",
        "|R*/L8",
        "{hx[W%",
        "=s&p;",
        "ListenerRemoved",
        "qRonEpQTQM",
        "@&e8(3VU",
        "get_Assembly",
        "LtTfem3G7V",
        "Ia4uUYnp1qKm9UfBDV2",
        "Tr%]m",
        "CloseFigure",
        "EYlPIcVKvlbN4NFxT6O",
        "DESCryptoServiceProvider",
        "h3wp6",
        "Mu!U@",
        "MemoryStream",
        "OREEVcjj2wdKQZLDDv7",
        "svFh8sG4fdTrOF0uGOA6",
        "Ljs;}<",
        "BwhWNCkzBAtcotdZHd8",
        "jXmoW8GwB7TSkrk6arUj",
        "VySgCrGgW2PgynSg0Tdb",
        "pdLjRx",
        "pCN6U08Q5f",
        "(ToyB",
        "MOlQfC62tFx36nVUtUe",
        "ContainerControl",
        "x5QX37dJw8p81IeOk9b",
        "TN5bdl2BpcxJHh9c7rO",
        "U4eW6g5vaEQwi3V8leA",
        "|7'\\(",
        "g+.c&",
        "lv_GROUP_0",
        "toErfJqqnU",
        "mONPGFGxrtFTw0PqGfVY",
        "Kmv5fLw5f0",
        "yRniIQwg7u8CuTVpevn",
        "MWt90j4zhv2wMTxNcXe",
        "H94|r;\"",
        "LxOQOmIfW2",
        "5vVxkp",
        "nbOtTfGhS9RnNcPrC6Pq",
        "jwdiNGG86Q",
        "15W/hZ ",
        "k8\"XL",
        "GClass30",
        "@tW;kv",
        "GClass6",
        "JOBJ3yGEo1088NENpxiR",
        "tFvplDGlosG5okrmQ0ir",
        "value",
        "GetManifestResourceStream",
        "rhHn6qPNPt",
        "Eo81WQv0Mc",
        "axj0nv0vHDKpnv2rNJ1",
        "adMJOfGn8ZGnaMs4938b",
        "Misyg57GJosjNtkedD1",
        "Waqil0GmNFxjlypfvTkI",
        "wkE1ocGCxWdXnSX4aF6e",
        "gcontrol7_1",
        "object_1",
        "Gptw7FGZ0KeWcoCeMcOB",
        "+FEz[@",
        "MSElWPuqXx",
        "\"o[{3",
        "method_1",
        "A6UhHIPYZiCdkLy6WZC",
        "xfkFT5gBCriIs8thCX5",
        "kxrukqBrlICdReVMd2A",
        "E6wTCQEq3wvqwBvcHwp",
        "3q>=Iy",
        "om5CiKGlM8VEYiDuh82L",
        "DownloadData",
        "get_Value",
        "t`@6r",
        "gG95Z2X8u1qJlY8h3rO",
        "G\"KQ%?",
        "cornerStyle_1",
        "(FXY'D",
        "Ly3NHiGZ5KTWJYSNBmHW",
        "v3N52sEfTGqokUsPtc9",
        ".cctor",
        "TB8RbMNiWd",
        "uri_0",
        "mQvFvSGxV3ERH0KaJcYT",
        "uQdRR5ryp8V4rQCXX9Q",
        "nAY0QSGLgRhYLJkfFZ3D",
        "lLq9D",
        "qHoSE25yya",
        "_Lambda$__24",
        "$P\\?O~",
        "j\\-|i5",
        "g:V=a",
        "ResetClip",
        "Sjab7NHjLK",
        "p9rA6vGLdTB6Mlqi60SA",
        "VHtbYvRk5D13ZlM7va",
        "GTd@{",
        "wHKm6uUSW75hwB8eMjN",
        "get_ParentForm",
        "U!]iYd",
        "?)|JdF)<",
        "VcuWNQGjxf1vjnfVFpY",
        "x\\RUR",
        "X,{Ty",
        "mpRd0OwfJEK1FepuMQL",
        "St86pJkYpQ",
        "vYOColG22Ax5APJNn7K",
        "4dCd=",
        "System.Collections",
        "U5ZZNIGxPjaCpNlvHubP",
        "pd7POgKmui",
        "hCjliuFnSa",
        "StringFormat",
        "epJyggiEEj",
        "ts++hr",
        "SmTdu8M1FKsqIk48lM6",
        "kMcydVgsGk",
        "jMke3ZpOTS",
        "eCu,*",
        "QbhXktb430jxmq2rtuI",
        "nLSNIgGEOBIFBpWpda5j",
        "zYhxaj5k4B",
        "lRXRHMW28pKDxsLO1NT",
        "kPIdgrZyG7k9FsFkc8W",
        "~j:|,0M",
        "Ja7>w%j",
        "set_UseCompatibleStateImageBehavior",
        "p%0mT",
        "radioButton_2",
        "UqWAcVtdyB6vdCIpiYB",
        "TaS2jv0Ed2EBCn4GMKg",
        "8DBm]",
        "get_Red",
        "Uhb9q5GMpltMaFPp5Z7S",
        "bool_0",
        ")Fqd}",
        "dRbkYkGZiIl7yE3DnmMa",
        "wTrNmCXbIhng7aPmNSX",
        "!Ll=~f",
        "L8pgso213FyuZITY45Q",
        "zwvUuHGP3Td6cDhHtOO0",
        "short_0",
        ";s~We",
        "c+K<JY84",
        "NWnvs8oW8HZ86Tnr1ie",
        "zxWdGsDxZUmI7uL7J6h",
        "Q8vm3wGY66h0hPs1XG4l",
        "ec3ceoIbJx88arSmeJo",
        "HMfQYV",
        "wuEBHYxWI4",
        "ListViewSubItem",
        "_>g]S",
        "d1FMm9q2qaBvo6njc3h",
        "Kw7DhJUwmR",
        "-^#)YxAm",
        "G~>4z",
        "gIcj}LI*",
        "vWmMwtGAcqA6ZNjFQsI",
        "OmsPFvnc9XSsAAJDPD0",
        "A6b50NuMgCP16QxIfUw",
        "wjd6ZVG8ISSmLfilcUFZ",
        "(T >L",
        "tyDSy3GKNolhGppVPXwp",
        "KLhJu7b3m6",
        "sa!%o",
        "aPX'~CY",
        "p$.Y/)h",
        "*VtQr",
        ").#rIl",
        "jwdY2E1XaahOubK8dDR",
        "OiPbN0GwT8beqBH8g7M9",
        "V9sbrEJmmYaDXKc9W49",
        "dateTime_0",
        "IAsyncResult",
        "AB1aAU8evTvEI2TbpbV",
        "4(X,yC",
        "8*;w@",
        "Pbqv<",
        "-USgiC",
        "n32Y0OEKEl",
        "GDelegate19",
        "NpNM0:",
        "GStruct1",
        "method_7",
        "eMX1mEh6LVrNBOH4QhU",
        "GControl8",
        "remove_ItemClicked",
        "GetDetails",
        "U/^9J",
        "GJ9bMKGbrX60AvySX6gP",
        "POBKRmGkn6sVe59UugWT",
        "gPNC&",
        "cU8Btd5pCr",
        "GuidAttribute",
        "QTJ5jtfB4v0cj1H7NVH",
        "a8Py6PS9KV",
        "IS8hQT1wTZYjFw6PjB9",
        "FVrfSKhMJ2foxIYAl29",
        "EtqWoYGmie4y3Zpp3CgW",
        "AssemblyTrademarkAttribute",
        "vL6g8UGIpfKVYdwtn0j",
        "TmbDdGGyLvK5o8Z7md2S",
        "JaaoDbGePrCTGrCbhtVk",
        "gWblt44HWmfsT3vS9AF",
        "GetRuntimeDirectory",
        "f1D6u58MtpZ1keEgbcy",
        "a\\5lH",
        "ExceptionForm",
        "ViL\\G",
        "PiEiCPGlpfrhGdn9e4lt",
        "{Rg$,ox",
        "uj9RArcaX5pfFExWlXd",
        "JF@3)",
        "L'(9?",
        "Xj21vQYhPidDGyq9JsH",
        "Z/XY\"\"`",
        "WvCO3wSr5VmHyEpyD6b",
        ";C4S=",
        "System.Drawing.Imaging",
        "T03ALnBbmy",
        "FwmQ4sG479bBofKohvDW",
        "YFoQ5QGZZLeGdtKWepex",
        "C4Tvn9BmND",
        "b70&U",
        "w1s1XMUamWhTL6PGV6a",
        "P7GcUu19Qwt2SxvCNOU",
        "GetDirectoryName",
        "Rkis>",
        ">` 7u",
        "a3rtAaUXCYrJojcYi4F",
        "xAEqu040NF",
        "8t/{[",
        "nKNxRyn5vbXpJvRabnI",
        "xuj1oKSCoMR3sF1wDn",
        "DUc4JhG3ApxwAjbOZpTB",
        "SendAsync",
        "set_NewValue",
        "SocketOptionName",
        "11.0.0.0",
        "uH8r1cv2YgaV1g17FUJ",
        "QhN0Wo4cKZ",
        "E)SB$",
        "mgjsnviQXEbDkEeKi1M",
        "JjdC2iUZsl",
        "StartupNextInstanceEventHandler",
        "jIkqZoRD69rDHK4rfQ6",
        "EfvtU0GZHwCwKlJwSKVU",
        "DA0P5HPnN1EhnlwutbF",
        "FormClosingEventArgs",
        "IQO2o5TyYo7TcKiAt51",
        "qanCvQgkZlyBGJUe4bF",
        "bB(+M",
        "lMB5hg7LWo",
        "set_InitialDirectory",
        "gdelegate20_1",
        "GClass27",
        "qG!yX)S",
        "cOfyfCtGgP6Ya2nMAQv",
        "35fW9",
        "set_AutoFlush",
        "{ KI^3A",
        "Bf7dkv37bKNsd8ia6QB",
        "vHXvdnfiCc",
        "+8~qnf",
        "Exception",
        "iserverApp_0",
        "mkN4KCGblr2V8IndVWMT",
        "PGNrANuWwaQefC0cQIT",
        "}aD$'",
        "XKnvf44rDmYQbPL3f66",
        "GetFields",
        "rOhllB3xe1gIbVkLLJZ",
        "BFWegwiNWDor0EwLxXD",
        "nlmerKDE7Z",
        ".=aC-*7",
        "H#{\\WNv",
        "x7uyntKGX8",
        "qM1SXVGL3cPv4pygtC7f",
        "=q#&2",
        "2u@^<(",
        "LRXY58QkbQbEsTvgMY7",
        "my2louLY9BstUduSPL8",
        "E51IvIGGPfECB8Fdx4vJ",
        "f2trYCGKDymGhh9yXv3H",
        "SkfemukT1Ayn8WHVGPU",
        "GncQyCmdKy",
        "a09ZlGGfSD0Yw9yco6C5",
        "oNZ]ZJ",
        "GZ=_UZ",
        "set_Position",
        "tZ7ekcXcPw",
        "D33XamGynNXckmtVji5M",
        "pPVsg",
        "uymiadrYDvsXPDGjOlv",
        "a66EYBTCFXXELTht3lu",
        "QVnDxnGIO2sgwtvOqjKU",
        "NiBcBcM6F631ZRYoYmR",
        "|Vh{)",
        "eXGqfVIAyR",
        "hIqWrcbNxAInq6PKs8G",
        "2'i4m",
        "gsGIemdtPmu6SgdiPHp",
        ";:c~s",
        "dxhb5ptVSf",
        "vhrLkN8dqvh6nfoUg1K",
        "FileTransferRow",
        "s0j3vHspq",
        "-w/~G",
        "+=\\FDx|",
        "dC1USDHQnSfU5t3CyZp",
        "dateTime_2",
        "set_MaxLength",
        "set_RemoteEndPoint",
        "u}lO9",
        "KAg5MHaEJyx4FMJ23xE",
        "Ydp2KoGPwflhbekW4t4",
        "JDFZ6QeyVigHg1F75Ae",
        "dNY2JHnVM0ftSRnPuKa",
        "doEgnfKFtivKnH3N9f6",
        "x6ADieGCJCngEpEH8wiS",
        "uu7r4CG3eJHRjEFMOlfN",
        "K~E<(",
        "T7{I4",
        "JseulmhlFlhnGFTpDpK",
        "p9DE3",
        "Rr8SkitQWm",
        "lHZQV9Jffr",
        "K9nj2s",
        "o7cvdcp9qL5G0yuTuN7",
        "G2j70nuiwdmR6nZnkbV",
        "BinCnEGIuiYTQTpjXsdu",
        "uLLgkfGXfYRK3dTDGK36",
        "~})OD",
        "fmY7Ewg0wv74ItlNnti",
        "SizeF",
        "p4UCEfBIpZ",
        "YXCcxINZkDrrPEbmmWI",
        "GFaPVOGLMHFlQ0b4feDC",
        "hsfqiQGSlZIIqBNX8eD",
        "Q\\De8",
        "Label12",
        "eGYCYnGCO5oLBDD6dl1A",
        "kUDkf5PTYUsiI6lhVHC",
        "iMm5G27lNstR0aHbgbp",
        "AutoSaveSettings",
        "eHDam0GAcLDV9o2Ikqhy",
        "ImageCollection",
        "NwshqLZzlyBvN32KVGv",
        "EfNXawjeHbMPcqdJRoA",
        "Juz`6",
        "TransformFinalBlock",
        "NhgIfeOausrSFFeCQ78",
        "_Lambda$__62",
        "q3bINcNwNLjUlxLv1RJ",
        "cAhqyJIIOx",
        "YJgwZki1CL",
        "Zn-ASs=",
        "F0gezWV46R",
        "Y5P7TpDKBq9F5dyyJOb",
        "_Lambda$__46",
        "set_ServerCertificateValidationCallback",
        "nGdQl1orc7FlfCh2cx9",
        "get_UtcNow",
        "_A2W}",
        "]Dq&z",
        "pF8Qr03rEJT1EBD4cRg",
        "9>m@&V",
        "vcfUVbEyiRqhMjMaRRd",
        "g6LM2ZfvWil8NTNqfh1",
        "NnVYQ7IMK0Y1PC731aq",
        "UbRLwBIsvlVfQgxIhs5",
        "Equals",
        "SuppressFinalize",
        ")v:RQ",
        "GDelegate2",
        "aZ7eLMGNa6IlK7NbugqT",
        "CheckBox3",
        "2~P(S",
        "&k)#M",
        "a6Y1MdGb4iegRak45ohE",
        "gcMDPLGPYuKQJGGOPPEL",
        "NanoCore.ServerPluginHost.IServerNetworkHost.get_Listeners",
        "r6{t\\",
        "UhotijGybKsbQjf2kgd4",
        "algYrF6bXi",
        "_Lambda$__8",
        "GetSystemVersion",
        "*o>W)",
        ",x[9aac",
        "add_Closing",
        "|6`[=8",
        "Csfl9AaOti",
        "get_ModuleMemorySize",
        "W8l|w",
        "0d-!mkL",
        "V;vnmV",
        "iserverNetwork_0",
        "exxSwcAnEd",
        "pSEmbgNLfWlxE3LkImV",
        "s<E&M",
        "XFR7YpDeAEAIOGKt0Ad",
        "o1kilcQJxP",
        "jqIrVkL247XCsR8yO0C",
        "get_AcceptSocket",
        "lx<4t3",
        "%}vEW",
        "{4l$<;~",
        "fLbkhaPhWj0PFhquFjX",
        "method_37",
        "(UFr0",
        "lVXqdrEmd9MlwV7WVjK",
        "Iv9p1TbfJUEMCO1SKxn",
        "gcxCFy7Udc",
        "o19sjeGCkH2UPXAa8dMm",
        "b4Y}f",
        "qNN9TuNfQ03ZdwukN4c",
        "System.Security.Cryptography",
        "aUcreKgaAHlkphQX271",
        "OCEvi0qEvfNKVeB3TTx",
        "YOaAtQOgCSe9h3rRwfo",
        "dDlDdZZnC1",
        "afoyHFmYb5",
        "CYuU3SGb1HIkc4i2xU64",
        "WY9oUfGTreOufdI62TS",
        "[@gL5+(<q",
        "CJ$to\\g",
        "qaLtOWTOnRxYOmBicRs",
        "GClass19",
        "get_WindowState",
        "jMldo6H5WdKPkfNKVDL",
        "9j5w0^b",
        "h4qa4EGxGS5dGucoCaf0",
        "ExecuteNonQuery",
        "GetValue",
        "CjnPBeILfLiEKONdKFY",
        "IServerReadOnlyNameObjectCollection",
        "wF0FqtGn6hVd8n5CHi4I",
        "CookieContainer",
        "pL73TfLpFdeMBqnm4nI",
        "gM2areGwLGdcKn9moaYC",
        "PaVELjGxDLhd4gJQ9TyP",
        "($J|_N",
        "zIaTaQSkWmgKbfwurDu",
        "AP6sMtb8Qe1TJZMJek1",
        "tFFFyHews0hefcXg6Pv",
        "lb:Z7_#/V5V#W",
        "KPk|o",
        ",;0W5}Z#",
        "upPEsEGPSfmnlANc5UP4",
        "xcz#z",
        "-W\"Ua",
        "gdelegate14_1",
        "Cyc7wcGCHh8ToqJFJRE4",
        "#$sEC",
        "NxsBmS0WTu",
        "vGjiOUqYeW",
        "EmqxZHlx0l4Lc72vqL",
        "vXqr1jG4Y7CrcpIbuFfM",
        "label_7",
        "FORHo9zJqmfI40YGT6a",
        "KJwT59PqSk",
        "oqnKoiGV4mBnWALpYT4w",
        "GdfCLNGPtEuXhFNVS1Uh",
        "GDelegate26",
        "tgS\"+",
        "get_SelectionLength",
        "lct74KGMOYEMMnaO6fbw",
        "kl;;?",
        "ValueType",
        "e9ZQsMb6HBQwMOvIK5",
        "   <dependency>",
        "aTjvq3GhhPvwV5JUvo8n",
        "xncrZuwpgN",
        "pImkdaJOkJ6bynhnjIy",
        "q[S\"Xm6",
        "sdZn3OrVSvyvDrjaypi",
        "xXwDhMG4N0xMiksKBj52",
        "NEDhZUGhJOqWGf6S0Ckb",
        "G9MdXXq4",
        "GV53FUSTNZ2S99bb99i",
        "53X}sEE",
        "-C1v_@'",
        "*ItaT+",
        "umGdWe36JY",
        "TabPage4",
        "?w+j<",
        "wx2n8vuItZ",
        "3l<*R",
        "HMwVWn1RxTa9JH3ZAUQ",
        "LvYAEv5Fmn",
        "!0it\"",
        "ToolStripItemCollection",
        "iY5wWf2DA9qLLp4EVMJ",
        "gJ\"0d",
        "Je!UL",
        "sJHip4N3sTvbwo7bbV7",
        "tJ5lm4abFRjiSiXFGi2",
        "GVS7KoGewqfTHelcMmcZ",
        "IO?c %",
        "|,b|;",
        "ReadOnlyCollectionBase",
        "GCFn8EH3VE5GwYX3DJ2",
        "get_PortNumber",
        "6pl6V",
        "PaddingMode",
        "FSBNRs01UXgxc7mSUZq",
        "n6FnWC7Hvw9qt7sdBXO",
        "QXCnRA8XjjuqiIrwAok",
        "S9lIoCGwnC2SFwfyW0Dj",
        "oDYo'",
        "_0/)g",
        "V8MrmrBUqv",
        "%YN;|",
        "tU62lXWMi",
        "`YI?)",
        "LwKR6fR6GW",
        "dZOxRSGgdnBAI800nYC6",
        "\"BrD9$",
        "nNqBI",
        "meCel0CF3E",
        "*K%\",p",
        "UccxqmjT8",
        "params",
        "I5SqXQWMdRpjebOLV1Y",
        "jxqQRSDlOK8UBcEmiJG",
        "2mqd`",
        "VgV;*",
        "set_AutoSize",
        "LH7l6DpTiKd5PNFPw1A",
        "[W;xZ,N",
        "Snhm}",
        "HMPB3JdbKJ",
        "r0MbLl3Dlu",
        "Okqe6opyYu",
        "U[ui8",
        "j@4]R",
        "nojTKkCaUt",
        "@\"A\\AoA",
        "ku8Lm",
        "LgY2eCykiSqmxn2w3F4",
        "iFaGij1yVmgRLDuGg9G",
        "Lr16W1wvOKScaycMA4X",
        "SaBSYlf6GfZ8xCUM27h",
        "RemoveRange",
        "ToShortDateString",
        "aj5UpkqXkiFC26l8WeB",
        "Ne0WKBGK3kUeETLbENDG",
        "Z9r(f6",
        "W8lHe",
        "b]9U8t",
        "frc3V5GbtmmP5jiEsRfQ",
        "op_LessThan",
        "      <assemblyIdentity",
        "cRjDKCNTkY",
        "&%s/c",
        "SUMF9SNOXCpZ7sL6eej",
        "yPj7EpPLPBcm4geXBa5",
        "qaN^k",
        ".%f]$",
        "TextBox1",
        "LeoZ4oGrtsneYdKvYQT2",
        "0F)-D",
        "SixoAB19fV",
        "ervmkKGELZN53GIvnE7o",
        ",pc~b",
        "hpiSrHeqKP",
        "FEV3rQ6a3drMDyRLBWQ",
        "ResumeLayout",
        "C[jx@1F",
        "jHO1dJGy26u0RqMCOyl",
        "|IO\\+",
        "bVd&Z",
        "OgWTduXaHUSQ5tBbLTE",
        "CeanEeetdGrryseoETc",
        "dictionary_0",
        "ro0Zv0VNKR9dsQr3ud6",
        "AddListener",
        "THCTRyXiVFjgVYk56Vw",
        "cwXDBNwlVD",
        "EPi6PkG4dtGyA09Hqva5",
        "!s-QJ",
        "h?DPw",
        "b8tMU",
        "j1!x)",
        "q1xRSOBzXGQvHf2O9f1",
        "RuntimeEnvironment",
        "CV7DTpWGvTbBAAnIQIv",
        "BG5Etbj2Nhitvb3oOpV",
        "kboNvXkOm8",
        "w9NtRgGxAvQ0sZGR5mYm",
        "System.Runtime.Remoting",
        "3r'#=&",
        "n.#GY",
        "XSI%j",
        "_Lambda$__57",
        "oSE$m",
        "JMGN0dOlZavOsQquNvc",
        "$9QRzN",
        "crJNMvlWx5DnWaxttNN",
        "QGCh63B2RM",
        "|u 43",
        "~rZyh!",
        "kIVKG6GnFbwGjTK03abC",
        "DHVi7ENJFC",
        "uKH7An6L6Ixby0Hf3uV",
        "t%o!;",
        "DMgA27X1SB",
        "FFWcfw8xLthQvEaZEcl",
        "DateTimeKind",
        "7\\6e1",
        "g9Re5YH8Aa",
        "?4???X?w?~?",
        "Vu9e[",
        "i#moNz",
        "aDxeSnAda6",
        "J3O1iocnPZPXHem1NaE",
        "add_DropDownOpening",
        "Hm0plg4CZPGMLdVcc5s",
        "AKknRvoEW4",
        "p}$8Mb",
        "Gw]Zb",
        "cTpbF6I8jQ",
        "OrYoeKjxKbpdtQiAyhO",
        "xVbFxUGEMv67ujRLxPt",
        "TdJsp9F4DtQ7QbQy57G",
        "N%^}.",
        ",LpX ",
        "s1kS86Ok3E",
        "WuHJ~",
        "get_Orange",
        "XJWickGwYYoYSNG3Rmum",
        "lWcq3ZZLOo",
        "jEOvZDqfig",
        "dsJnjfGMhv8Qv5kw9CTM",
        "x>9I\\7",
        "W-_d;",
        "xEWVpInZA15OQ4SEl5p",
        "Microsoft.Win32",
        "kWtNeQGbea4OqagEoFBZ",
        "eUkoYeR7Orw58XhMrQZ",
        "set_BackColor",
        "ql3HPBHSrZTnuFEKiv3",
        "v26qtHOKW0",
        "g6spLuGYjldwZl51YCwU",
        "+qb0B}'",
        "=A}mKv",
        "qYnX5TIQhEJTqNgAZ9K",
        "!S[Wck",
        "rJk0vbOVhYhWIEXPQm2",
        "=L :kCE",
        "ACuHF0(>h",
        "FindFileTransfer",
        "ydZ;~",
        "Nv3uWDEzFbpEWSf8IZ5",
        "defaultInstance",
        "Mw4elgsoRamoXk0ft9y",
        "a36bTEL4jg",
        "mKQ4lxGYZxmfdfSnswAK",
        "Gt1yyYxRrvkLhpllmEy",
        "Qluq5oQvHX",
        "xnCx7nGRvgTmjcAApB3j",
        "dDisq5GeWwRjALOA2tVQ",
        "qhpNj82wN8",
        "x!LWo",
        "pAu4MITkcoID9sGOxaF",
        "a6HIe4GxUniXcoO0CA6j",
        "iQ1XOov6y9cARWi7kQ8",
        "ToUShort",
        "CryptoStream",
        "NPs.b",
        "zCDjDDPfc0",
        "hpUr5MGhe8xyac2nrE9",
        "FileAccess",
        "WdhDr4GruPMc8oImi9Se",
        "E5FDkXrR4q",
        "DatabaseExists",
        "PluginViewer",
        "FKykGbGCSaslFfMcXjIV",
        "QcUdwfouuGPKf1HkdQA",
        "D97XDgEQ0R01flJ7mbR",
        "YQHpx5GyFMKFddCZpEmu",
        "oiBOpaPOC34J7pRooJo",
        "wlIWL2UqxkuhGvW3J8X",
        "{[9[I?Z",
        "[g)S<",
        "SimpleNavigator1",
        "QVKlsO6PVT",
        "get_LinkText",
        "gJQtRKGLq2WCiUqUOKTi",
        "jKXCkHR0n8",
        "u7wNL1GGUKQSKnMYKaKu",
        "e~wIU",
        "ItemCheckedEventArgs",
        "wd0H27GRWR387ijqCP6U",
        "zhZ3xpfnLCFQFYQP21I",
        "T\\`zD",
        "$\"*p\"",
        "aHmYULOxP3wlrJZA5rN",
        "adQHt47nZqjHrE1kste",
        "]L`%%k",
        "ieA7oLOpCE76Qsfuqij",
        "get_BaseStream",
        "VUW@%",
        "B9dxahhTiFZMRoUPyeV",
        "JeEyrSiMy7",
        "MpFxusuJVV",
        "GeneratedCodeAttribute",
        "KL8C9NGXKQWYu7R3UOyM",
        "#!hYa",
        "H217N5GhLH8T7VFLk3NQ",
        "PbQvoJl0he9cmCk9YRW",
        "PWSdbbGllpA7VyrGZM4V",
        "%{`Vdv",
        "28#VeI",
        "B_r;[",
        "yWxCDJVgkwIcMyRAMvr",
        "cp3xWGOaRg",
        "deXkGQGRxNxxQID8T1vL",
        "k0a8Fdrt3rRfe0orhhE",
        "Xbw0vMGCfxnwAo5X6YAc",
        "DGcqOy2WUU8KD41C4FQ",
        "OpZegZOel2",
        "op_Subtraction",
        "O0Fk2XI1DKI0Kll3yCN",
        "TuyLbv2qPY6QOTLRjGS",
        "]%7 x",
        "Q7WUGtG4JfuRCOekARAL",
        ";MT#n",
        "zorE2FGeTmDbpdXSrYRY",
        "dictionary_1",
        "jsC}3[y",
        "H44qjuFSXK",
        "&BBa&J",
        "a3h3qWGRVpr5KoumHxRV",
        "M7hlzQZcSr",
        "]~\"w\"",
        "xKQvhYQWSj",
        "DJaWrxOoMF93yX3VKFE",
        "Rlg0Ei2rho7OZbWHtRQ",
        "Y4O936GYRQLIW8tAJ98Y",
        "9><d0R",
        "x3ZZ6yTIUcsq7BQfVo1.KINZ4oTBhjvdwZVriDN+mfSV1UTYXvQOPKctiIZ+iC3Y0DTRUMcGOjHenvN`1[[System.Object, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]][]",
        "ToolStripDropDown",
        "C2TFcoYgbZLW1wgbtRD",
        "ClientPipeCreated",
        "y66BKkNYfQ",
        "SE5YDcGIXLcqrrglk4vI",
        "NotificationDelegate",
        "4wOP^z",
        "MethodInfo",
        ":vg61u@)",
        "SJk8jJGIK1ZtTIGRdnki",
        ",t,!X",
        "hmotAkGho3LUoyhTQxcC",
        "~(zxJJ",
        "lb44qG7g34fvxGGrYJH",
        "IB4EI1TPH1AvYpkwUe0",
        "zVVflwGPrkgm4fHu0od",
        "Juyt1jUsbksJ4hEYwNY",
        "sbhRY",
        "System.Diagnostics",
        "uSGNGsGRX9FUFcQUN6am",
        "Qq8CTIVFxx",
        "control_0",
        "eLjfEakHDKAMi4dQBCR",
        "N65tqUq88CV5CiqTWX7",
        "72Jt,",
        "EVp6CknBK8",
        "c?UcI_",
        "UL7fgkFJXn8kICE03bq",
        "RuS2MkdlA7jmMWpAdXB",
        "(E2A\\",
        "q!_<zg",
        "NIIuvmJHMhQkadlrCm3",
        "MrnQE6GL4OSQyCVaFTfj",
        "35%5M",
        "S6GSh2beqlcLxVSiTUY",
        "zNI78thDMxPpNdl6s6w",
        "RowStyle",
        "alFYVI",
        "string_2",
        " Za>GR",
        "uWc7aDGyCVTw3p379CnT",
        ",6/OG!",
        "gclass22_0",
        "Al!-G",
        "uA/89s",
        "BYsBWTGxQGkm50ySZCy3",
        "WDxg4PDthd8KUEbQ5U8",
        "S8VoosxfT8",
        "h#c6\"",
        "WNAijPH5BA",
        "HNkJ5kGwCbaPSiJYbONx",
        "lj5QBmNxXI",
        "dvAwH5TfmV",
        "Dn+[L",
        "d_m,Q",
        "X1VppxGIfGq75ImUpJ6l",
        "|&aE3S",
        "DragEventArgs",
        "WOeQa80pgq",
        "LH2nQt2fV1",
        "7vWT0&",
        "PeoidcX1wX",
        "BxM4+87",
        "y( v:?",
        "rYVMTjGRr2ntwodKxXr0",
        "mvaoreGR7dgkvKhvWYgD",
        "[C<U\"",
        "h*k+%M$S",
        "iB5tuTlYD1URE8RP8ur",
        "J5uxmtoW7ba8q8f8kd",
        "IvcGi D/IXx",
        "]).!oh",
        "HeZSTdzjrWck4mqBB0t",
        "h46ArA1gSE",
        "V@!I6,",
        "e3DQDfiVeC2R4KRJ1Eu",
        "KAauEj36c",
        "VWI6GXbZhYUAvy7Bv07",
        "GhhBvF84SD",
        "m.ywV",
        "UHeVrSGfg0juPJuMyl8Y",
        "Q'@iO",
        "p0LVyyfDOkYrIRV9USB",
        "O80qRQSkPt",
        "bd/P7",
        "(X.'g",
        "method_0",
        "YIodyDgvPHSPnXkdRWl",
        "UYhKnD1k00NpkLMpmYe",
        "SendToClient",
        "LFo3hcozttr0pK7cwx6",
        "1Nc l",
        "T2LOAbFc7f3pv9DEgSb",
        "BinaryReader",
        "IDOjwIjHNbQbrlf1pSu",
        "M1kd[)",
        "c4DPu7GMfmp3bTgkdriv",
        "TrJWHVilXjMWQRyLy1L",
        "LkHs6mEK5SRcTmVq31u",
        "get_OwnerItem",
        "2Qxc{4",
        "YKasvFh8WJKEZbxbdss",
        "UylV1kGhzCtU0KQ0KI40",
        "EQSsoXOS54hFm3bisOh",
        "aUI-3j",
        "r0sRkrwxk7",
        "WQpMVOeWDFipdIwxNY0",
        "LmHbdKg2C6",
        "Y22IL2oMSmF8UGr9VdF",
        "a7V6GELlDAQaWswiQSt",
        "splitContainer_1",
        "vm6h2IDLdxXcCH6PBjG",
        "HiXCm6s3jlHsnWp3QxD",
        "\\TOk6",
        "EeWJPnE",
        "mADHqIhtQ2gGacZeLwq",
        "HAI0Mp63k6tHiOhDj5f",
        "dmCMi6GNyytBOLn2fgFC",
        "\"'2aY",
        ";r8D%95",
        "checkBox_3",
        "aRnPr8GZvvJA3TqJR5fM",
        "fHD5P60BSRZEvPiCwWQ",
        "eEdQ1LM6V7",
        "aVPI9DvgQWVHBrf7oju",
        "lpSRqMqUcd06FHFJiSu",
        "V9aJZYsgb1",
        "zP9lZVsROO9Jq203i0t",
        "gfEh3eGZRaELdSNewDpA",
        "HorizontalAlignment",
        "*Yxb~",
        "w|F28`",
        "X0cJW9IkNq",
        "CMpnPMZk2O",
        "XFlIgXGXLwFHuCbLwIRN",
        "MjomwdMXxDVmmBsS0Cy",
        "PXr7sfcI1tfABl3P8at",
        "gvo;w",
        "h4uPchGwQRVZJJElwHUR",
        "C2kZtjGZkiyO8sJgqfqN",
        "SplitContainer",
        "q78GjIGLSNEGjhG2XuMu",
        "get_LightGoldenrodYellow",
        "45v1R4",
        "gclass14_0",
        "BwOHnFGMPrR30PgdeLs2",
        "qKooH6V6aZ",
        "Computer",
        "mmTPqtGe0mIYtjvs3DIB",
        "q$w0#",
        "ShowDialog",
        ",=84u5",
        "(&:M~",
        "FieldInfo",
        "e|&V5v?",
        "V&Ghf",
        "&QOpz",
        "QEeXYr7DSPeUXO6YuOn",
        "aQOvo3zrFqHY104OwBr",
        "YAPOsr2vrF7Z31ilhe5",
        "oac5dOlJo",
        "xWMOqbmJCy",
        "svB0sF0gKmsi2Kblchf",
        "qoOZh6GlctDy1SfrOnIf",
        "$d+*5",
        "NanoCore.ClientPluginHost",
        "y497HgEawbkvrJgrnT7",
        "dY1qeCsFBe",
        "TargetInvocationException",
        "Q5Euf",
        "t4QZDpY0y3cgpkqKBNu",
        "DCJ52MPM7qYV38DvRWA",
        "NXQSphGRyf90eBfvTYrC",
        "databaseName",
        "vLRUbsGN8AMkFLrqujKv",
        "ttqERxGma30OZU3YNRg2",
        "iTR756INFmcbdtL3pCr",
        "616C6Y6o6{6",
        "CJhfRYmPoNxOZcwyD0b",
        "CwD3k73bSd63CxArQlG",
        "*zymR",
        "qSBGs7Gn5Q9yah2oYOt3",
        "RB2n4RGgcHCi0D5jaKqM",
        " }7x+\\\\",
        ",HJGg",
        "kXN9CQGG73ITGokQ7LIN",
        "set_MainForm",
        "WzW:U",
        "#sL[[SM",
        "Connections",
        ".(g.w",
        "DYSF9kf7C9eHdkSBIJl",
        "cagJGmL8wt",
        "|h@Y;@(",
        ">N\\l~%",
        "OtE0bkv71a70ORqmTu1",
        "tEWxkpkulRbeE6W4TrA",
        "4XcyQ",
        "lI7dLab3ST",
        "]Ml ,cx",
        "H[p]s\\",
        "M3R0iqhNXPsVkcuvWyj",
        "dinqvE6VbNnwVidbgIM",
        "zFCPkyk6RW",
        "BJ8mhmFeYj1cZ2wYxjI",
        "V92n,+h7.;",
        "set_PixelOffsetMode",
        "8sLYx64V",
        "QahO87LvRZGTH8KPJI",
        "Qq5-q",
        "Operators",
        "FromStream",
        "JZ3<S",
        "L915KXmcT7",
        "P8kVqkGGXIfdpVBmb3f",
        "PpkU0JGEqIZ83NxAO5iI",
        "yG6CR9oyD4CGLK72qf",
        "zFQ9N2cbcd5e7XeGX0F",
        "aGtbG",
        "at6cbFuN30PGVINu7pB",
        "pHofke2K9IKbZq2V8e6",
        "ly97pn2oB46EnbpYs23",
        "@KDY&1",
        "IaweWQ4qpttChK8mhEj",
        "MYjtQ2G4ndKAMoNa9nU3",
        "h1tlRWGIW8AFF6WAUBbC",
        "get_Font",
        "ar4A9ecAx2",
        "8[ {z|2",
        "fOMLrSyzEs3Eh1NgwHO",
        "E374.",
        "NZRlVmOOAhYbLPZhj1U",
        "|4H'a",
        "JfVxU0HHtN",
        "Q3{xH",
        "gnfpFSxK203GuGP1OTP",
        "<94mN",
        "IDataObject",
        "w0jP{",
        "uBGQKMpYHo",
        "MIeobXfFYVnpc4L778K",
        "*#%|$",
        "RB3smdot1ClEJbSaqFI",
        "set_Timeout",
        "etTla5d9oD",
        "SgQ8lXGAmSX4auNVD1Ha",
        "PV4NQQGXrdM9gmbFp8nk",
        "System.Runtime.CompilerServices",
        "t5m677DQQlvrpRmm5ul",
        "TabDrawMode",
        "VRigrlG4CV5FLIaQrfe6",
        "tHP^A",
        "@I}}^\\",
        "~/,!$*",
        "tBUt/",
        "-6IDG",
        "<):t]",
        "D08mB2NSGsrG8BJSltN",
        "sVFoyuGw5B01B1W4An0d",
        "yVVI=wy",
        "gRu%U",
        "\"%\"/\"G\"Q\"\\\"c\"",
        "VX]U?",
        "SortOrder",
        "BvCZQ6GnIHnp4lliSals",
        "tpHJShGftVZWoE7mveyP",
        "nRFvEcNjB8",
        "dq0h;hHt",
        "NTwtMtT2KYVNsHWBuMW",
        "F8n[#",
        ".text",
        "Unwrap",
        "O?gcc",
        "EXpWo3GIT6OmFrCIv2Zs",
        "83$_'>",
        "3BR3;",
        "XQAZJdPo1yGqwKVEQr0",
        "ToolStripItem",
        "wJ0O4OzL2V1ysNqL4Da",
        "\"gcsB",
        "Pj1wrDaRhe",
        "kw143TxQl98SQOUmBbF",
        "VA9jfGLdv2Jgvp9sET7",
        "nNvvXZI07t",
        "UPdI9QGguZ1okvQclGhw",
        "IDisposable",
        "oO1eo0ZhYQm5QxjSjB",
        "VBPTsePIoEHML9uqpsx",
        "sbkYa3GRfwk0MxU4u6aD",
        "SB97fEGZGxm8PWDBM6Sv",
        "sjKtjXG8uHQmXAZdvftC",
        ">zN3.ae\\2'",
        "-u7yk(a.",
        "DuCRtk2cptLRmrUiuu4",
        "QIfKBRGIHc4kyGX6IL7D",
        "NNIcpgmrALO96nxivdN",
        "WriteLine",
        "rp1frDOQOKVtqTN09F8",
        "qiym2PGIUvkjamdIhchR",
        "H0xsiYXYlFmtl7uJfN",
        "WpAskmgMGLwNq8e8Hlq",
        "IVk+z-",
        "SlQi4T4hDd",
        "nyNvF5UFCL",
        "SHamQPlSQLJae1dehd8",
        "Hxbl8EkASG",
        "Han1Q3AWbI",
        "EwkNwaOdrK",
        "WilUgspG21eP2cVtYy7",
        "J0anjXRoJc",
        "gclass15_0",
        "C=ab2",
        "HeHZEMUbxpp0gema1Cr",
        "CALQYZhMbX",
        "Fg8JpvxQQW",
        "tT9A0wBwNT",
        "Q05wXQ3aFStFsMFvWHf",
        "method_14",
        "        <!-- UAC Manifest Options",
        "zdjcQbGfTsm5L3g4TtRx",
        "XIpO7gDL5oMeCuQOmG",
        "wJho1cKhoi",
        "WxFyZ2lHNf",
        "I10CJRWE8UlCMvhr18Z",
        "Listen",
        "SRWA9Yrj2YN6oyxHewu",
        "drIZE46kJyETXCFvgno",
        "VId9AEWo2tkc9LT7I2C",
        "snD07Pl3XS",
        "PRBD06mJyF",
        "I8qaM6obubyOTHQnGay",
        "sxxqdvwmaD",
        "H5BqFGadEu",
        "BnmeZ9G88VCd5ioX7kDI",
        "i.B)w",
        "96:T:`:s:z:",
        "Button8",
        "dBhjENmlEV",
        "O7k2uZzUDp2ORYT7HaG",
        "UhPutPRuu8rWGnHL6NZ",
        "akGPbq2hoR",
        "J1tabaGnXUNWDAhh9byK",
        "NJrxRXcX3s",
        "[vL9,",
        "<0{h)j",
        "h|gv)",
        "nBZXd; y",
        "hJGhAAkcycI3NCsm714",
        "U[HN7'",
        "nsxl26j2Hj",
        "(Y~D\\",
        "HpPQx6L3YZ",
        "Label3",
        "kR9935JRfXYrfFo6Eqj",
        "sftmyY6SEj0W74IvOab",
        "6)'h[",
        "HBEa5ZGeMhFbMvxftQ7r",
        "get_HighlightText",
        "r9dTqcKT5d",
        "CYZ_(",
        "hlWker9Mt6wykHLhRel",
        "get_Exists",
        "QWoDCgmagO",
        "8U<w]cU",
        "method_47",
        "get_ControlText",
        "yECamDGVMZmTpWpCIMtZ",
        "kfgoyIGbl9",
        "h9H6wkTIQv",
        "N_1.x",
        "QFVlJLqeJm",
        "TimeSpan",
        "smZvLPG8201l5Zh4G94l",
        "_}H*p5~",
        "GStruct4",
        "AN\\eX",
        "W0CA6BMFAuosSmA868k",
        "vFsnAFF8SEttFEfiLJ2",
        "yDfxEfG4otP6gux3eUTA",
        "e4uQtsGrmR51UoJJW0B",
        "IPED6VGmJp240jDS6g4o",
        "pKSbl3uaqZ",
        "K4QZS0qFl2TFdX6ld38",
        "eDGQp6gA17",
        "StZfkNGYVm0c05agB2Pp",
        "k]{ID7vP",
        "mdYgxJEtaNJM5QJWvpd",
        "lrMlbRrcJh",
        "UaYHach0pxuX0Y0NI6o",
        "BuilderSettings",
        "NQtHdiGCMWMltXkr2yWv",
        "OhGQKwGYnfc6lXQhplNm",
        "DefaultEventAttribute",
        "o8ftF9WgbIjo4N1sykK",
        "*QCrSO",
        "]IzXBT",
        "K1o7kdjpZhLREH8muKN",
        "9Jm$m-",
        "*LY#m",
        "f8[2d",
        "YJhWsRz74MtCUCYvlWc",
        "qqmbjHG8nI2XaK9AxSdD",
        "MessageBoxIcon",
        "a7STaPjiyW",
        "i10CMsxksX",
        "JXZLh",
        "tkrlFgZGTn",
        "image_2",
        "Ri6bKa64Oo",
        "oQC*T",
        "wDHGkCQYtvI5eC3x9Rj",
        "cxQAuPuuLGA5B84EpCl",
        "GDelegate6",
        "GClass20",
        "K,}ZVc",
        "t_;l}",
        "CyiUKUGx0EkasUslL6Fg",
        "aIOHZ97oXBZw8pH6xTm",
        "L5VQuc5BeFjAcYFaLUA",
        "}7SpYM#D",
        "_Lambda$__1",
        "contextEntry_0",
        "KHPK1gGIRLKwB3Wk5xKK",
        "|uY?K'",
        "OvV5j4IwI7TBCS95Rwa",
        "p2WvNqP4Id",
        ".rveKwu",
        "WikyA3grgIq8o5YYrpv",
        "SayusU1CYOcLMgWZTZ",
        "get_Text",
        "HiobywGcLYphkuHed6v",
        "set_PortNumber",
        "tDrhrhSkgR",
        "wgaAMWGYdO0b2cLen3U4",
        "+5%X6",
        "PmG6Xp2pVl",
        "tEag1",
        "YtFPngCx6",
        "GetTypes",
        "PtrToStructure",
        "OpenSubKey",
        "QtV1wWPXKW",
        ">-qy1X",
        "RQc3ohOPe40stalSXGU",
        "jRq7S0BtqwSEqqNTwGM",
        "Sb7zy~",
        "g1rrG",
        "YT[un2",
        "&v7G=",
        "Cancel",
        "ds2sngGlx273ZywFsdCR",
        "T90jJHBicOgdwf1oPkt",
        ")P1:D",
        "YUjqAWu6s1",
        "YLQiWdtHlp",
        "bvAWi",
        "oecbuj1W5lixVI1VuAX",
        "g6YQoV0MXlOF2wl5mZI",
        "UnhandledException",
        "{(?6P2",
        "9{Th{",
        "'D^QP",
        "wxlIm",
        "ibonS8heK4f0sa3HTRx",
        "(@Q\\K",
        "jY:HI",
        "S<`s:",
        "MZpvhOoOogGRypWkSB5",
        "dWK7mUGw81MkTXXe9sc8",
        "YW55O5gdXv",
        "w9hRrk2zGQ8O7oEXQvY",
        "WCKAhEBVQA",
        "xHXJviovP5",
        "pNFlolGwycGV854NLSFv",
        "ColumnHeader11",
        "OGGY5bxJUl",
        "QPLb1fPFSw",
        "e%&->",
        "HZYYNZcj5eCPJMydcoo",
        "fKjbuVABYFVognjeu5P",
        "vR4#B",
        "Gei8cQmH70En0c6lugc",
        "SrvpW0Gw3b6Y1a0N3VTx",
        "/a>)P",
        "Q5Fu2nw7isL5jUb2vNq",
        "Lc2E7S133VeYP4QluTl",
        "^k|$+",
        "d3@O/",
        "oX6qAIbrofJbp5IZB2S",
        "_^ 62",
        "ns8E:)",
        "1O\\b,",
        "OT+M?-N",
        "kc,{j",
        "aYvg5exbSQWIYRZX4cc",
        "YApfsUtRflRc4YvqoYQ",
        "J]g\\'",
        "]ma)-",
        "y&AZ P",
        "get_TotalMilliseconds",
        "gcontrol6_2",
        "get_Visible",
        "XoLwHCWJqG3Ymg86CIA",
        "HePFZwXyhy0uNDpLuCs",
        "uK&J-",
        "Xk-:W",
        "Iia hl",
        "mCh8Zl1IMO7ys360tXw",
        "\\@L1s",
        "VV09kxGnPgL96uLn1w8u",
        "SystemColors",
        "gS0L8f6yToCnWe7RVMH",
        "SQLiteDataReader",
        "iTVNynKVwx",
        "<1&P6",
        "gDFo4m9n6o",
        ",E{7u",
        "avSQK5xouvYjZR46YED",
        "method_43",
        "eIDRvurqNXxmbygICC",
        "ToolStripItemImageScaling",
        "ksoNH'",
        "w4VXGbFdh117AmLusWL",
        "Hrr2Z6GnUdt0hbL3b9Br",
        "BhHvudUk5R",
        "get_HasDropDownItems",
        "yOlBZunrUiZX07NMd1Y",
        "wJ6URbfynKosVZssueL",
        "MrHltbsbIXDMRHZ7Etj",
        "emHMmXyGjalEbkVoghl",
        "\"\\E!z",
        "DlOJoNXRmfBAfYGre3",
        "WCRNIFGlcJfv7n2Qlcr",
        "e4wyjXFpDe",
        "5G2VwgZFycyI9AX3OV.5E8NuHNDYsiDHu2Km0",
        "set_ItemSize",
        "S1N7P0G4PP4Me3gqiPAd",
        "Dc2mo7GXNt6OIpPcccXG",
        "icy8jFGSd9bno1fABoX",
        "Un22TRwar28TXYYFswb",
        "eP<n%",
        "get_Msg",
        "HRH8aKGKz95cQsPImpwo",
        "Ol0D!@",
        "SetStyle",
        "aNfJZXmAt6kt14H7CyN",
        "ToInt32",
        "tfJoV9VChJ",
        "AGmSomhWpXhvyJp4Nuj",
        "GM+P2\\)mCb",
        "oShmh8GAHsqIZvDOThAb",
        "RuntimeMethodHandle",
        "GClass26",
        "DHCheLpRyu",
        "VQ14A2Gh4r57nJKhmNvu",
        "UAKqgE6iPo",
        "`I-WR",
        "vJAeSXZp4AMeoKX6qZR",
        "iconDir_0",
        "prVvYnuLKAHLP3sjuiQ",
        "ComInterfaceType",
        "sDmx6P0myT",
        "ncOyBilyvZ",
        "miI7qqGrEBZmkk6pQ7sW",
        "dq6phuLxW7vvnsw4LWw",
        "8!V `{l",
        "wJAw9Th9D1",
        "CMnqaiSCAIDL7GnFQ6b",
        "jcdHotxxRTuIuNN85Xx",
        "QZy{B",
        "eARz7",
        "vgrlPSr8bg",
        "l935WSRP5q7CN48N5Vj",
        "IyIO6Vvyuk",
        "^d]QP",
        "1_/X7",
        "efCL7OWde0Hg67DmhhG",
        "SoBvMxcXe3",
        "_Lambda$__20",
        "Y0N#t",
        "GClass16",
        "qCwtarZaWgr6SmvrboI",
        "7k*lNX!",
        "tk1p8FGxzgan140AhC11",
        "fBHlUZ0umF",
        "zQo3nCT8P92DLlZyG4H",
        "sasNqxGVvKBgK6144Vrg",
        "PcbYDlv9rc",
        "O091C2xbGP",
        "disposing",
        "typemdt",
        "wRPNZOAIju",
        "h,WUn",
        "s4nmD2EJrWu6CUwVUXo",
        "XBLaiPGfOUVbwgxXN0mC",
        "jdPShyGEeOwsZeHQCMXq",
        "hcLpkMGlq8wbrGaFdwqo",
        "PcPdUWP42b2JQ0ipthm",
        "AddMilliseconds",
        "<4%L@",
        "PostBuild",
        "jpCgKTqJw8nbtSoHkMM",
        "SZydkTQEGo7o13ktpNd",
        "GR5iqBG8sTFdaG2XK6my",
        "V8A6Y6tJCl1Z2CujRno",
        "VQKbb51FPr",
        "_Lambda$__74",
        "UInt64",
        "2.gdR[",
        "Stream",
        "Wcof6fGCosd5CSeCsjEl",
        "DrawString",
        "pgqtl009ql1pbiMZEry",
        "jG36M47DYY",
        "zpng2Kp416hDZZfTR1j",
        "L0VYiMnID1",
        "lZFAfSdNVc4r6pvXpBJ",
        "tAWsOADupE7RGUPdGwK",
        "]*b#c",
        "]^<Mj",
        "set_Padding",
        "omNv4e4Ql5IsSoNN0V",
        "DnsQuery_A",
        "gdelegate11_1",
        "lsbAV7GInTUyhPlrCU0v",
        "X#(w(Nt,",
        "wI10FpGMQ2rwj1hiDnuT",
        "set_SetupPhase",
        "[c0URX",
        "HMSl8oaNedvxQFNM35q",
        "weMqb7TrAp0qr9kvgol",
        "PDC9nrBvTHrAM2J3luH",
        "sBx9jNg84OvXvkymA1p",
        "7V=PB",
        "p7fD1B",
        "t37QwTSHln",
        "HashAlgorithm",
        "XytVmduY8aKSNPXU5gK",
        "-?6RY",
        "set_IsSplitterFixed",
        "method_35",
        "MUBlSHNPNI",
        "dp1oYQGMFVdoxgBVfFYv",
        "AccessedThroughPropertyAttribute",
        "nHGSHSixqh",
        "|nQ}|",
        "A7NfWnGKUBp7V8wY26NC",
        ")'KjY",
        "J1WEWBKqV7DLqi1wiOj",
        "BG23_v",
        "hFRAW",
        "Assembly Version",
        "0:~rK",
        "EwDmnxHn4QpYCHYRjay",
        "b=<GTb",
        "[4jq@",
        "NumericUpDown6",
        "7.K]`",
        "TeWKHrZ0X",
        " U]J0",
        "TB{Ri",
        "ldSZgiG3tEoqlQCKrZS8",
        "@_.+/",
        "gCoT8dlIfS",
        "NqBkGBGr10yCQMcCZYqQ",
        "nWk4HbGNXbLgE0f7RBnE",
        "S8wqjqGRRY0ibMv1uHmq",
        "PdGqake45w",
        "Brush",
        "mnfRxuGMcXRQGsFBhtx0",
        "a{tC>",
        "System.Collections.Specialized",
        "GetGetMethod",
        "set_Persistent",
        "CSelkDj4i2",
        "V5@',a?",
        "pqNhI",
        "DaAHeMj7hUyoEk9OvUh",
        "X4pNeWhi70K93uLG3SZ",
        "sH6K2yL3ZfWXrvxna84",
        "Xn2u7uGetn7XvTphQ0nO",
        "4m\\# }",
        "qwbDReQbJg",
        "W8HYD",
        "aUroINPofwNIIXi5Np",
        "GetFileTransfers",
        "CaoPFw8vReXtO3JXdYd",
        "OhsRLiwY2v",
        "a3JYOExO8F",
        "f6Kql5SKlC",
        "jyGs6GraSwjkWULaQqk",
        "cs2DGAKmXE",
        "t2uPieGg6HvRYoPYgntN",
        "long_1",
        "lY,k7",
        "1U7@c:",
        "KLOlgwGXJcA7vrYxBi0X",
        "MnqFyoZYCTgq2WClgmX",
        "BjMTUByDoyUMmZ8Mox1",
        "XTMlsInfslSPw2GJaZv",
        "wmlTlckyIECKs2tuilF",
        "TaEyo4vdbn",
        "z7OsisasDKhk7oI9uZj",
        "h<qm+ ",
        "OkJR3lxmksoHnTplvhQ",
        "_Lambda$__32",
        "fD5wKglPbmnCFklqV2Z",
        "set_ReadWriteTimeout",
        "ib58ne8PX593n3K9BT3",
        "Utils",
        "eoRfnsWqjr",
        "jjYdnfqorP",
        "GetEntries",
        "vEUDWpwBPMy5UdI6wh",
        "*]Wq8",
        "e6bppRAXGYJRldeqvG",
        "oBxsID4oXp0xyRLpL97",
        "DWk1eMkB1RxKE1lrPws",
        "kernel32",
        "J746e0A7uq",
        "qXTQ8gGM3Zpe2kCQ8660",
        "RPNaEDDMPhnDoPfyh5G",
        "@a@;*9",
        "LLtO62GxZ6xpEjM5KB48",
        "(Qk:Wq*z|",
        "get_ASCII",
        "o5nY/",
        "Cft%T",
        "kKXBqv2LM05aYh1LOTI",
        "7mOWSu",
        "JD`nV",
        "method_48",
        "smZJ2Y8RloBbwPCugUG",
        "kRatojFTEttrlCpAPym",
        "BZ2vJEIZfb",
        "RWOi5GITfa",
        "D_Um}l",
        "PHkb^",
        "URhojuydBB",
        "HLvVMLhnK5bkD08tkOF",
        "_^%H2",
        "7M/iS",
        "aUbB8Eyp6w",
        "gmbFx4TOWxJMfHB1l8t",
        "yFdVAgGCFVZZL06gkFcB",
        "s+5#_X",
        "nJywSfvxT9",
        "xk4RS5TXU1Ijii571pu",
        "get_EndPoint",
        "Of-|1n",
        "5:EffN",
        "tT;]_",
        "))@m?",
        "d*a&jE",
        "zLxVTbmq9qvaqnPmxuN",
        "aN6aVkJrL",
        "KUw2tLYmvMSGchJL8cC",
        "DEQJrv4mZT",
        "<GC\"Od",
        "lSw5h",
        "PcXKSnMN95mkkd955MD",
        "FileTransferDirection",
        "get_Bounds",
        "pmMR3ALjQh",
        "RHpnN13cmIj98dcbTIZ",
        "YfMhx7f8veGnEqcTHJk",
        "m6frfodwfg8abuVXFqB",
        "Y<{:OJ",
        "Ej8lCjGr4aohgEviOp9n",
        "yoifkOG3iX08FoRQuspN",
        "FhylNi9hIm",
        "Zn4O6E",
        "C+2E~I",
        "xqQCnM91b6SOTVg9KkJ",
        "xM_Fb",
        "meorIMvjaf",
        "c@R)g]@H",
        "kwPq7BHEnhjtFfafHTj",
        "hkk3oiGelfGkytuiSG5q",
        "'e:U![",
        "LvbKhfGVaqnXoXqpAUXk",
        "gRtDxhGYIvehdE6vcUHQ",
        "get_Gray",
        "qz:q-",
        "F9OrbLBwIu5XNpPyM6m",
        "dybrTITxfX",
        "YD5TqDqoSmxV8kYjFMI",
        "pRiywh0oRhwZwmF9UGm",
        "HttpWebRequest",
        "lF7d9TI2jONJ4qJAhx2",
        "Acb7wuGXyZiM5tEDRU8o",
        "SxB14MR8HscbftDbiRu",
        "_iqu8",
        "IwSpbJGNLJxfeuYqNkUU",
        "qZhVLPG8C3PcjkAkoPfL",
        "hE912X6UHB",
        "steI1V3FUhMZZ1CZR98",
        "textBox_1",
        "yG4_#",
        "get_Default",
        "U5n\\no}",
        "gB562xGZzqDincrs0tis",
        "1_{s,",
        "dORHrknzmOG8W2lFCOf",
        "ib6aJ2aTE9GpmnkG9Gg",
        "DKfMvB2XcDg6EGEJHH",
        "\\Y_>p>",
        "NjyRUaASKeTxo37Y5tR",
        "LSX3fASfb8DcFDtrHjk",
        "{hT_,2",
        "L2BqxOY139sX0iKpedX",
        "yhGuwvumsfqPsvyXh9e",
        "ICP59dxTln7yLvHCNeT",
        "o5YYZyEbFrf6jXIXBJx",
        "get_ClipRectangle",
        "GDelegate3",
        "VYSBj4uRblQRUGcuFa6",
        "wtT!v",
        "PpnfjKm8Ss",
        "Io7SMkoR7GlXMtL0CW7",
        "TWJYCA8j9bgRpXRLH9h",
        "us3y9JMGiKdqYCncoqd",
        "(=V&0",
        "E}9GFh",
        "t2bjfUyUJ1",
        "fx66YNBAr1CBBHQ2n9e",
        "Ldg5m9hXVKvv45oaXBK",
        "lncIodIF5MDusRwFJsS",
        "CfaDWbq3E3R6AlhFrmG",
        "sLUDgMCeb5",
        "V0b=c>",
        "/Y/UV",
        "%wA;`",
        "hcf0DdUnBC",
        "ComboBox1",
        "#~O&m",
        "set_View",
        "nWNmUxegx9Fw76U6qA2",
        "n9uGCh8iPc3fFrJWV3u",
        "VNQJsLIDIJDB0j8cMhH",
        "VeckN5GfNrY1YP69Suy5",
        "GetScrollInfo",
        "HxoN8kpnXF",
        "nO9nXCWZCZ",
        "KUYh,B%",
        ")58-j",
        "VgPZZjdR2aK9Kxs65yH",
        "\"Km8K",
        "R3SErg3eEBDrGqCCQpX",
        "_Lambda$__33",
        "F6D|}",
        "T3kJNWxfh0",
        "dBdB8wZ9XbFYSbeQMIU",
        "gdelegate16_1",
        "FHqJa9yQj0ZwKOXYwm9",
        "l6n5VbtM2c",
        "uDMXYOGX4EnmW1ZxD4nb",
        "eEHSMXGp9G",
        "UWUbtRGwDYLEDL3lWEo8",
        "fgvwwCyMJ4MbaEqKcqR",
        "xtP6ZdG422m9qrrDok2W",
        "Jp96 ",
        "    </dependentAssembly>",
        "xsaGiAGnT12A1hBnUviC",
        "o70RAvGukFTfc5OWQYd",
        "'VZy#",
        "u4BiAGGm4HATD7Wh1NTZ",
        "RmsQ7dtcxqdMJi9DQu",
        "J4KsZ9GMZfGa9aB3Q8dG",
        "tj4DPQbQ3SJVCVQggep",
        "jW)U)",
        ",0\"RP",
        "*3H(Zp%",
        "e5JslemdPwZLotYwnQt",
        "eHJ6b7",
        "R1abadEEhX",
        ",xxuBr",
        "fXMifN17FB9fhbqcgkk",
        "<Module>{6F53801E-7E6B-4CF6-ADA6-069C03F41663}",
        "rdv0kgAI1D",
        "s5rJf8YdlcUFcOuxoVc",
        "R9ypWxsj1nchw7xnVf",
        "PropertyInfo",
        "Z+Dyd",
        "pYL6RIbUF6",
        "pPPEA6qLumlo0Bm4YOG",
        "Y7I5udGCIfvvMZc3a6pr",
        "IZ5hIK483EyHFdesYGH",
        "DS4QgYYbcX",
        "G`G=S",
        "aNJH3yGKg1tckarcw9lb",
        "eventArgs_0",
        "R3jJkboml2",
        "JOeMqPxjwRsw7ZFkfWH",
        "cfl66P8HmF7eoj9g9qV",
        "eTCNuEQaM2SqhaUMcZq",
        "JSC8mWKgSABJKohXcUw",
        "kyUzT}",
        "p1hm5SgcqeVtXs44KsB",
        "ToSize",
        "jSeJfyGmBnHCXh4XnZUh",
        "lqbtHGGlbix1fsT1T0YI",
        "C6cGVAWZt",
        "U6uD5BGe8ue2EGcaGnxF",
        "fRCd8qG8YbgASouZeoTM",
        "RSjHkuGkNgngn6kvixmo",
        "AhU6I5GhncXg06lk6fg",
        "OMZrJZwPM4",
        "Uqw2xcvlFBtTIVCrYBk",
        "qvq9WCGPJVJrNlrJMutC",
        "vrvqM21GeHbUysguPKE",
        "[T0a?R",
        ">Y{pj",
        "hrJ97j",
        "g20xqChyM3",
        "dUX9je0KUoGhHykTXrX",
        "G96BvLLDhXa8ruT0Q4v",
        "Xna5DordTYVtGSIXvQP",
        "wVFyvhP7ELlafsyf2GO",
        "A0D6cLQNXlySB7SXmev",
        "hVplPWG8RtBTRRqK3tHt",
        "aZP5LYcGQd",
        "DlAX6Nbo9B4DYxxHKPX",
        "ToolStripItemImageRenderEventArgs",
        "L21jYwDD97",
        "tlih7bYIC3",
        "LuqxJx0sEw",
        "GDelegate25",
        "iC3Y0DTRUMcGOjHenvN`1",
        "VqBKT6GKMBFEO9fKZU1e",
        "dateTime_1",
        "ReferenceEquals",
        "GNAjJeNIEY",
        "ok2QwIlCLmT28nylDYO",
        "#cKEXA",
        "DeYAw0G80Pu4OMxf9SDU",
        "pyeXl5GN1VbMagS6xVia",
        "eMRG2JlJ175JjE7ku6E",
        "$i{tU|(",
        "mRklo",
        "lEL2ex3l1Iv1jaHDmdN",
        "remove_SelectedIndexChanged",
        "yRxJ4fzYDXLAvp4qPZr",
        "ObjectCollection",
        "b>):_a;",
        "zvaH9cGARwcf0fqY4xKC",
        "_FpDs%O",
        "}ZKgS+",
        "y]%fX",
        "UR7igAe17ykdvyGJvyx",
        "gdelegate7_1",
        "xRZhJYGYFxFJqjmk7aaS",
        "RiXYUzB",
        "E$3KN",
        "HintsWidget",
        "TniC6cGAKyScATmcuG2g",
        "PipeCreated",
        "Button4",
        "CheckBox9",
        "Q5jyFu0ScR",
        "F&D5'",
        "wr7srgIgaGs1AG3hpn",
        "eal0Z7VJuZ0hxBHhVq9",
        "VpEqzp0A16",
        "DrawRectangle",
        "rTfvSAdoLr0c2KRhu1P",
        "gwsrv9Gbn3jdUC8ZCVKp",
        "add_ThreadException",
        "a4'JJ",
        "(*.192(3",
        "ItemCheckedEventHandler",
        "adSlrgDZ1R3Vc3tBSTC",
        "A{73,",
        "Ur\"Q(P",
        "MsaUYk",
        ")\\&[b",
        "AtrlseGfBuhLqD7chdav",
        "rYCFCKWK86jdDCEubu2",
        "CkKrOW4fykpkmNo5pTl",
        "HH8wMj2OpN",
        "aGjxI36xHB",
        "xfTlXHnGES",
        "NumericUpDown5",
        "AwBOBIGKFcTbsbJUKpFo",
        "F1ZeCewmCC",
        "kGPT9ddINw4Pbp2XqEo",
        "rFqwEdIG97",
        "gis0xhUDkp",
        "wN2akIK0rb2B899wIoW",
        "VhCDSbwn07OBUYPemtM",
        "ejG1h7ANMV",
        "U74ouSqdKx",
        "cPTcIkGCBKaNXAJTlCxN",
        "MqCmx5kxA6wE4KSaFx3",
        "pL6fG5GZBbaH0P7ZkWYh",
        "+v+G]X",
        "set_FixedPanel",
        "k6ZGDovDqPweEm5FZEs",
        "GetItemAt",
        "=x,6$n",
        "int_7",
        "vTGiKLGg5qGBETdmZ7Yi",
        "PictureBox2",
        "h?ufJ+",
        "ColumnHeader13",
        "fl4mxtmXYshv7uGZKxK",
        "Activator",
        "[l~*F",
        "u]l5?",
        "wkFWolGKcIEsVfQ7OUAu",
        "MQnjVBGlPJtVrtBhptDK",
        "y2ZEpUEYg5Ma4MVCQxa",
        "=b$-u[",
        "r7i4yRGrjYGEPE8av17H",
        "DisableListener",
        "OU6lNAAgdMWH63r50Z1",
        "OMYOJbG3bHobqjvaOM72",
        "AUpWZT",
        "s39DtKLdOS",
        "WiJvameB4W",
        "rcJ2ukVT7NWK7EXZElW",
        "pZop80OFknqCM1GI6w2",
        "ITHHZ1SSNiiFjwJalLj",
        "sSvCPQUILmddfneDkNX",
        "dg3Ge533HvJGgdNkrU7",
        "1i;_]",
        "G.IGS",
        "SI7u.",
        "Lp0tKcDmh5xO6x6NQwf",
        "05e*+",
        "jzo>!i>8B",
        "}Ep.I",
        "[_*~~",
        "hpbTdg5PBmIXd5si7fC",
        "K8ah3NGbRwFfGkp94dvf",
        "D5cbLKVL3pwrrEX76R1",
        "oBrutTES49vpcEGeLUu",
        "veUYK1b92hKXM5L5v9m",
        "=7yma",
        "uKyiFBGRbeccTcr5NVMq",
        "(UlEK",
        "nHo1eOGL3F06ReNlbqn",
        "MFB8RmGM5QJ49nPyCaLv",
        "GQYTHAZQyROM47rcNAJ",
        "LZ0X$",
        "LM65qAGPWdAmBi8fvo06",
        "XFM3HIGY88jIbLVFnxw8",
        "#]Q=U",
        "zQBJAQ7bTJIqqc0SQMN",
        "akV8krGCiRkbAjIHGq0U",
        "GDelegate14",
        "add_MouseDoubleClick",
        "LlyrYmJYMm",
        "~57NG",
        ">UIUK",
        "G7VM#",
        "D\";\"I",
        "G9GdQPGR0lYp4aMCp1A",
        "V6a5FaGfPXS1wuBtuipb",
        "FileShare",
        "tnYxlbYIc8",
        "List`1",
        "1ClBr",
        "`']uR7",
        "remove_DragDrop",
        "MSIF1DwfORYFw3YRxK",
        "r]MEC",
        "B6nwM8GNi9LB68Nj81JA",
        "ASRq8rPZSy",
        "u0SBGp6R6x",
        "UGI2OE11SD5hr",
        "zo8wLZ7Pmr",
        "TXI1VP6bhS",
        "ICryptoTransform",
        "Aa~Up",
        "!{dp,",
        "{ov%r+",
        ">rZz|",
        "sO2c9CMD5Pd8vXkG6t3",
        "T3GqmoVkji",
        "PJw1223QZ9uoOpTkSJs",
        "G1fT7pd88wDOprM35hq",
        "XE3bCgkfWOuOtUKDu9m",
        "koqbmLjyCgwyUda76Y2",
        "MDGLIGGeYskG5upD3okE",
        "tklYoEiTnP",
        "KO75ldcsQLLiFdIYljm",
        "Array",
        "FiDOwVMOOyDGU7Pkx94",
        "F$Ap%",
        "wutl55gUG4YuHwe0oOJ",
        "add_ItemClicked",
        "F0ADaHUu9GJTT9hqh3h",
        "rTt14XN3mM",
        "\"edXj",
        "]3sUX",
        "Environment",
        "Yjr2KSAQYfZYCSW3atc",
        "WB#]_PE",
        "AHDiPUvgf9",
        "lT62vo6NqaRAnNrWfRT",
        "            requestedExecutionLevel node with one of the following.",
        "X0IaonbsYK0jqtFOiot",
        "method_17",
        "T21eNtG3z1g6uG6Aqc0f",
        "J |yb]~",
        "System.Resources",
        "vw4E5rGytPypAeu6GGo1",
        "int_6",
        "wcidthGIoRT7XXl7mc59",
        "z#FXs",
        "tJyW5WYD84jEtlu05eG",
        "lgO0TrUi4XidEt62iX1",
        "T[F@t",
        "#-Y O",
        "System.Media",
        "zyJav8FCrgJonv7tcFI",
        "xEIs8GGfffkjmg4EZt50",
        "l669EnGnldbHawYV8KH9",
        "jO7Olrfl3i9tqoygj8",
        "Padding",
        "tpMmgnGKRTN9u0cgMCAG",
        "l5iDUUL5Eg",
        "/2<rm`",
        "TNmftXcJYmvAVekuuBE",
        "w95dfYTgiQV191YwpYP",
        "fdUvRFA5BSmZuuKbYX8",
        "H6YjjWrifiItQlg7krm",
        "ixTc515YZhTLkZ0H6hy",
        "wiIwPU3UvVgWmj98psZ",
        "<Bcxt",
        "XEuNc9Z8Re",
        "\\x+H=",
        "Graphics",
        "mbgi09nChX7mZ8pJoRe",
        "oecvnJJcmSGnxUMCy16",
        "lRlod9y4cB2dlyrX5lC",
        "dADDvKK883",
        "if1UmfGZgPlYrX4iHHxZ",
        "VcKj7xmzg5neJi8xges",
        "V2FvgbjztXif1rc3Jc6",
        "`ECG0H}@|/",
        "ToLocalTime",
        "pxXk55GRs1ydl418vmJo",
        "0r|\"dI",
        "'up<l)7O6",
        "JxfyR0kruf",
        "Offset",
        "hMRNfxeNIP",
        "kqY=>",
        "      <supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"></supportedOS>",
        "QPGwP6bK1MfkDc3yUQM",
        "BringToFront",
        "F21bgWg7g1IXR7U8YIE",
        "DE416o9wZ32aB7qkoPJ",
        "VarFileInfo",
        "IyxNGIPsP1",
        "aQ3Ml3GLkxPkxrZtjIjP",
        "gflOWYGwVacPSElSn5cM",
        "[S\"L/",
        "set_Proxy",
        "MouseEventHandler",
        "WfG3-",
        "<$)H^(D",
        "aDgGlF4VAGJA2GreAWA",
        "Q\"rf_",
        "GFwpX4BgYh17O5dKb0p",
        "button_2",
        "DibB7xGEdSjZ9GO6MfLs",
        "gOIDaGEgbQ",
        "Cn36x2rUbmuA0Fko6qn",
        "i0pnyPc71hvs0EWdY7L",
        "jAph64GY0huMIEPo1dE8",
        "VnRE6",
        "Ih9ohpOINR",
        "dBZYWqioEH6pF8NkJel",
        "yTHYdC3RBi",
        "pYHlMSeldqREmxDddNr",
        "rp~i7",
        "DijYm5QZDQ",
        "bool_2",
        "get_ItemOf",
        "int_4",
        "oPv6f32XgMKDq1T2PS2",
        "tiR3D5G4BeD6uK8bov2e",
        "DFresW49ND",
        "fm4bArikT6",
        "}Qmi3",
        "Sig1LtGKZBiSZR4JeFnR",
        "FixedPanel",
        "uNDhuLpeRw",
        "Q2>*N",
        "get_Width",
        "GroupDir",
        "t-j<?",
        "4V]pg",
        "cNjw5G",
        "%| =Mi",
        "Q%s=M",
        "uuFNXRLXpq",
        "hLRkJfGAYmDVW746UpGW",
        "n74q7K1FjC",
        "FPKDk1S0wqbrwQwUUbJ",
        "rRC92KHJaaQHkvqFpAr",
        "Hs97nKrTY",
        "UbdlChlAvrndd9IVVNH",
        "FqGPlH6dTXFHdkBeP0",
        "Nk40jKI5SrYLrW2aAr3",
        "SpecialFolder",
        "OQrDxjGzYbFBIZhYELW",
        "xbV4Nk1JLxvu8Ayty6A",
        "UFv3ZIGZucdkGFL9ihGb",
        "K*ymN",
        "O\\.'xM",
        "l1lboK3Zrk",
        "7lR\\F8",
        "JhmShqGlY9IlqBEj4KP4",
        "IClientLoggingHost",
        "M3Dc91faRJIyjsG0GRD",
        "M1xdMQGmIrL4nt4SZNuu",
        "zfQJiLQF2q",
        "RW1dKYgftH",
        "CdpKUWGPpfgQ4bAHkmNe",
        "notificationAction_1",
        "~oXxj",
        "U<,{sg~j",
        "UnhandledExceptionEventHandler",
        "*5&g8",
        "pfImbfOiYmFUGsQZrwt",
        "get_Image",
        "SystemInformation",
        "d0rWY4GKkPV62WOxRhw",
        "l_/,V",
        "CXPnstGbCxs3gW65cSeo",
        "LwYhpSAzvnVnTATTEMs",
        "UU2yuGB6poEHh6A7LUT",
        "ContextMenuStrip3",
        "g\\0R!5",
        "IClientApp",
        "ChCEehGmkyKlnZWihKL5",
        "_Lambda$__77",
        "frhrWYjEiS0Z1GkCXSs",
        "OIkEVXGC3SOppDG1cmag",
        "=C4%u",
        "T3RBMk6rouMUuhoCnVg",
        "jbLcIcX0TcBKy4LlbOr",
        "Translation",
        "lEWqVoB1gJ",
        "mscorlib",
        "LIZrDh3CTv",
        "iIux1oRLu7",
        "jXAfeX1TWwyx5SwWLGq",
        "pb30h9wn5G",
        "rnFTacV6DxrsiTcXZuB",
        "set_Sorting",
        "WS3NNlfRQjxnBAJqqG0",
        "WgoZvmGeCIEwFF8E7wUZ",
        "%'/bw",
        "CqH93",
        "IVuC)",
        "HupNdmGe50tWCHT9YqKF",
        "V?[KR",
        "ICtPvDJCcT",
        "M=}*%(",
        "RBM6isL92Z",
        "ToLower",
        "zCOvqbMnX92Ba8PfOGj",
        "%:I8U\\",
        "n|'/$",
        "Cvj1U2Gl0FKcVYmj3nWy",
        "BRgqO21boKKlAROug1P",
        "G'ZXdT.ADns",
        "(mRjqS",
        "V8.*V+",
        "RM2lqcj9XZ",
        "k0jCpp3L4kgeHPfI8up",
        "cNmkfJGAdkwt7SsEYtZI",
        "+#ZJ1",
        "MnvCHKMLnEClPvOjyUF",
        "KxmZISGgpVa5jdw1Cp8H",
        "HSKaeMnTdGWx60drEcT",
        "<TS!9&pO",
        "hKI5E15x8XMf0HWdxfN",
        "ud0nVlvw2p3qPy5OMki",
        "kZ@Ki",
        "Wk584QGVkGAPqdnAARLA",
        "k1aXVmC4U1I2kDWm5J",
        "mwTOMGK2vwAE27N4HyB",
        "gLynbVGnsj2fHxiWCien",
        ",Bv^5ZjP",
        "pjCX4o9f4x6M7vxbDUk",
        "int_8",
        "TqxBxcQHtY",
        "kF32eIth0C0t17UiU06",
        "k7Ui6PX5MQ",
        "abS1idgMY3",
        "|Z~3[",
        "hZrpMPgArDDENeTodZB",
        "Q0n5gHGrqC",
        "eNnn2my9JruFHIrljkf",
        "jHoj3aueX1",
        "AppearanceServerSettings",
        "hbwLxM1srmdHA2oPuy7",
        "n}L~l",
        "2m5l>",
        "vmyBHpWTMLINouXO97",
        "DOHoxw4AXOIVmV3kmAL",
        "SelectSingleNode",
        "DXHbPEGC9Ytt6G0HDfUw",
        "RVCPUYGA6Nb2nmrL2CEq",
        "p=Ni1",
        "By7dGJmqwU",
        "aakGe7fJI9ZRValBCIK",
        "GDelegate10",
        "FNjPoXkQ7B",
        "ZoeYD",
        "\"^15<H",
        "e/$T0",
        "gADtcaMTy2epjcb38BS",
        "f)M>F",
        "/Drwn",
        "aFFwOBZNrD3dcRNoPE8",
        "get_ColumnStyles",
        "?XG5+",
        "zF00omQPdgsEQlP2yZt",
        "Label2",
        "GIFnYNpOgC1tFHgymT2",
        "SE40Bd0CtkapkPEX5GM",
        "F[F&#",
        "a0h6YlW8TkcN5IW5cSi",
        "ybnTeb0TmT",
        "DEVma6lVUV2CFpnpRgf",
        "%wtyG",
        "vmj9GufXpYbRiIGSmDR",
        "WNjiXWMLcD",
        "/mH_8'",
        "<-\\ITcf",
        "f6FScMGGbR1rymkSjgl9",
        "RneBeQdqooU2VFXvqc8",
        "YaWpxBw2GLvUI1Lv7gH",
        "rrgMHxIlqO31xuuLoQA",
        "EntryExists",
        "YtVQNhMfVZn9DD6I8c6",
        "jsiB8DNjtouBji1IABJ",
        "TabPage2",
        "OnControlAdded",
        "MCrGNlGnqtnmNMJ9ZiI5",
        "]oRy=",
        "YLfMsVEs8Ua6PHuYRpl",
        "vmeOv0HAwoe1eaBi2L",
        "m4nqzq0cbM",
        "i?[-q",
        "LlECuxzzVAOcsn2l7cA",
        "B6lwl9dgNy",
        "om6j5QGNFucSAYcTkDMk",
        "3)H)|+EmV",
        "-.%=r-",
        "A/ d1,",
        "/Lg8tK",
        "{i}gA",
        "Y5#2P",
        "m8CpytOm89oGUX7xU0H",
        "-<5Ez",
        "ResolveEventHandler",
        "knbLhAGP6RK4PvhsddPg",
        ":1AAY",
        "Bz+j`cE*",
        "EMrxUbG3N3iSr9Qt2AP3",
        "k2.i+SL1",
        "ReceiveAsync",
        "fX*Kw3",
        "Q5LtKInqXs7PIa2n4XL",
        "ORWMCNehNFkRb1WphMF",
        "D;&m'",
        "IBKyTFc3L9CfIYCZjVg",
        "DashStyle",
        "xlTusXGyitrLpfIkt5s1",
        "ToolStrip",
        "sender",
        "P4GyAFa8qKr7vFRKPnS",
        "wzs74U",
        "0;><=",
        "set_NewWidth",
        "WMxWSeGCjuMnxg7lmuDQ",
        "?5=G:0_",
        "r~ohm",
        "nlFCvJSQLNyBfWL9eT2",
        "`s-2X",
        "UgnVOAf0nhVwYUnqZx",
        "#]}7\\",
        "ag3ySHyVsf",
        "GW&vB",
        "A5GJpDbT4NegtH4BwlT",
        "vV9YS( d",
        "~N 76}",
        "rWmvg2TTHlPeL2BiHYc",
        "MouseEventArgs",
        "LGlhjwZXBb",
        "Db6ZG3GABxlZ0ZntcsBp",
        "U5MllsWqiHduFApNOIn",
        "HeKbY",
        "nlqvQp0Ux6ljlFreqfK",
        "N-Mw%",
        "Uj6jnAGwXYVmvn0QNfKG",
        "o:L#_7?`3N",
        "gxrYssTyW6",
        "iidnd4nvoQQGly2rYcD",
        "IKI2x",
        "Wj11Oj5SZk",
        "LFgds9Ghvt4bmcSGwC9e",
        "ej$qn1",
        "aS7hsrGYW5vbLT03DvRI",
        "xTZP6Xow1RhjJRHxgxb",
        "F9Jp[ZI",
        "</asmv1:assembly>",
        "FPLSj09Yk5xrV6nKIVP",
        "crfHxw0cJWcBMfP6mpD",
        "JNqdjdGg4fNNpBFUmOVd",
        "ort5MPvkhX",
        "nOwutFPeWvlOmceZRCg",
        "n1uAcD4mwZ",
        "\\&FY[|+",
        "f-2jO\\Z_",
        "ZcyBk",
        "Zc{cy",
        "L3RQunjyMG",
        "_zp3vx",
        "TJNjdgfh8T3wg2yh502",
        "q7:L)wO",
        "SetValue",
        "4;9;l",
        "CmOcnvGK605NQB88FUuA",
        "ufpwXiqHxMGBP6m9C73",
        "iG3jh",
        "wdgiwm0Uoh",
        "h#hllZ",
        "mWUmM1GP9gi9nPOOeYiw",
        "0NM@7",
        "SetCompatibleTextRenderingDefault",
        "vYh7w6GeJQtpowCnBCEh",
        "ogixwSn9JaqlVSmigOR",
        "zGUOI5vph9TlGm6R81K",
        "jZ0BNjPLQN",
        ".|\\m^",
        "ymoSKFXh4c",
        "DisableToolStripMenuItem",
        "u_%oj",
        "ihGhRrGXmSWP7FJqhZ7n",
        "-cUcK",
        "%G!qI",
        "client",
        "SvLBIMLOfWNaeLEDDt3",
        "Replace",
        "jMooIRAjQjY52HbvdfD",
        "Uwi^\"N>V",
        "get_ButtonSelectedBorder",
        "qWvJt9TbDq",
        "j9pNFs5trNIZwoopvQl",
        "gdelegate5_1",
        "Ww8ew5aLa1",
        "SetColorMatrix",
        "result",
        "oDLL4",
        "upaPa",
        "get_Handle",
        "V!E1f:",
        "B0HyqM5fJIRuy4qQ6fF",
        "Yht1yufHTC",
        "tuT7XHRsA50rA0Wghd7",
        "tXbKnaajl77DJeCD3eR",
        "F66T0J5N696CjHwVYpj",
        "HyaWLHVqyVVeA3jxxBC",
        "RvXgLs2HRvP0s4PrHMk",
        "kZqFQBzSid7GsMErRF5",
        ")&+k'",
        "XClRgn5H4k",
        "value__",
        "ipendPoint_0",
        "SuppressIldasmAttribute",
        "ae2R830bKV",
        "N1OExUKONxY7cWE507v",
        "X509Certificate",
        "GO9ii0Wscj",
        "Dc3DJPz6yQsEyEQykDW",
        "S0c1VeGnVC9uolWPAO2O",
        "bMHpL",
        "R72RZ06H8r",
        "gstruct0_0",
        "zz(jV",
        "Button3",
        "z8L&T(",
        "PaintEventHandler",
        "WrWRWUfBAX",
        "ToolStripSeparator1",
        "C|P+q",
        "C5DKy",
        "mBE6S8lH9XOZ80w5auZ",
        "kfa1NWI054wiPU9yV2Y",
        "BRDKQHenKnctCDFnIIk",
        "kyvApGuyFG",
        "gPThBiTTpJ",
        "ExVFx7dx669YKQ5x5ye",
        "XkeFilGnx6rTcdfqY8E0",
        "cc8rSqGmfrZ8aqtecN8O",
        "KuBj7tw60kHawWRRMMx",
        "m:|?7",
        "MJLVT9GgPau4Y8p1UWWL",
        "OxwaecjC7mSgwoLYYFc",
        "gtof6oGI3IM9BtZokCm0",
        "L87KGpe5P0WOtMH53f3",
        "M0dwERGL5VU1eSClik33",
        "GClass31",
        "8'xg4h",
        "wBgAwvrAP5",
        "4'i>$",
        "GetTotalMemory",
        "&8?62b#7F",
        "set_DialogResult",
        "Uq7378U2mjTNN2NrmB",
        "lyHD9VPpEL",
        "c:z8h",
        "IPGbFiFnmuhLFjm4YQN",
        "sJ8qo0r3ys",
        "cZRtdAGLQ77v5Pv7bjST",
        "G!YJS",
        "qJu0YvgwunlOuBOFj0L",
        "cWshV0vq5Q",
        "w3I2OE1znsOFZ",
        "AddHint",
        "DOU5LLGkVmk9Ti3WP1NP",
        "QSJqM",
        "method_5",
        " ]x]>1;",
        "WriteBlockData",
        "c+y)b?I-",
        "LogServerMessage",
        "3mRmJ",
        "vSIHcN5h7DN6TSsNou3",
        "DebuggerStepThroughAttribute",
        "Fd|0g",
        "get_Action",
        "TFPMX",
        "K2CSZc7fsF",
        "hBPFWmHOY9Pmm4FUfeA",
        "dV x&",
        "aGeD1a4u8ghDkfTyIxu",
        "!>c\"x",
        "a6Rxd3rRxn",
        "jBIfHJXuahIXFe9rtNs",
        "Jo6XQAnLYBC3mBmU8E3",
        "JnwXfLhoB4Z9EtKrTdd",
        "IbP6tUyEPGNvtwfj4So",
        "NKIQ4WGRBp",
        "/By3<",
        "qWF['",
        "g2x+.",
        "remove_MouseDoubleClick",
        "q4cjAlGmjjfyU0H8sRSS",
        "op_Implicit",
        "GraphicsUnit",
        "iPQMTwWijxOXXGYLp5o",
        "NgVNPXaW1b",
        "K_/ k",
        "_Lambda$__68",
        ",+Mp[@&",
        "__StaticArrayInitTypeSize=40",
        "UNyQXYGZfQcpCCiQJdFy",
        "SQLiteConnection",
        "NtEogFCZ26",
        "LRuQU2GfyEhUOLiBsNFT",
        "9%/?,",
        "N^t'5",
        "A90TGA?|",
        "DvgpJuAGwbqILBLWXX5",
        ")s9\"8t",
        "CW9AZqbufa3Oh0ltM9Q",
        "c7Kn1kG8QLVWZaO148XD",
        "cg2n1uIIe0urQ9WFkf",
        "get_CodeBase",
        "*\"{1>2",
        "Rdfi9Qju1uRCyBjUPsx",
        "uU66vNwEHy",
        "JD@~ts",
        "M3ujgoFCbB",
        "O9ixD5cwcx",
        "NmFtPYGMS3yHJFrh73EP",
        "!Rc&z",
        "float_2",
        "LinkClickedEventArgs",
        "FoN',",
        "Ks1*@%",
        "FileTransferStateChanged",
        "JI5Jnq1nwwo2oSg7aqQ",
        "get_Offset",
        "32Vvj\\A",
        "FindClient",
        "iC5o2MBBNK",
        ":\\\"Usjg",
        "Xt5qrGQXE1",
        "qIayG5uz8MIjqdFA2Ki",
        "get_Id",
        "RegistryKey",
        "IjIAkL1a82",
        "QxfgB",
        "y(Y}X",
        "get_MousePosition",
        "N\\9z`",
        "D69GYy5928cYsmiYZNB",
        "W67h0VadhT",
        "G4L5AKaxO71OWq4Trdc",
        "MyTemplate",
        "lcwcsQGEjZy78f6RDDJw",
        "uxU381GRKfOkpJ6pra2Y",
        "htYuf6Z80ErIUWOxVDJ",
        "ControlEventArgs",
        "NLRSfPefFR",
        "J9bPvcQZb74kXErc6S9",
        "GetLastWin32Error",
        "zfgNG32PjhfVpkDs5rU",
        "coX1686wUoyeMT1EBw5",
        "~{S0Kv",
        "KqpbFN7XOu4UWXrhkMt",
        "dU07KsGE5K0LEqjgbrJ8",
        "7~Y# ",
        "KCr5GWAPrqlTt1r6g7s",
        "lYLkU5B03ktM9T06ke0",
        "WZcsVwWAO5bEZAJjHEH",
        "WebClient",
        "control",
        "set_ImageAlign",
        "Og3!B\\",
        "&\\@ge",
        "b.!a~-",
        "mvrF5R7UpbIY087foCK",
        "ClientPipeClosed",
        "A6DX5jVnCsmpUJkUOe8",
        "Cr8+*",
        "YPSFWNGm9I18lrTD6l14",
        "ul81UIiYnJbpgbTOm6q",
        "ReadInt32",
        " %6Kb",
        "Ruf1mmGliBeqkkmDruMp",
        "4q)j^W>",
        "PwvixmRWSl",
        "heTucDGksbtDFiJIoOg",
        "EKJ08TZRUQi2utMG9fX",
        "k8WQ78h9ol",
        "VUlK75xOgCVsqNEy5ml",
        "NameValueCollection",
        "Background",
        "))BIp",
        "GClass9",
        "JA4rp7Jj2ySW6Qg1hX9",
        "/nxO&",
        "RX7Iiwm8ZFWEHEFKFR",
        "QPNFvTPB70x4CZgjLo",
        "K?Nh\"{",
        "dRarWZVHmjFjG2SGqM8",
        "piWJFAcZwv",
        "G5RemisNOU",
        "_Lambda$__4",
        "5x^L^",
        "CZV0wTYPodYX429v9KO",
        "DCBeNW0DmWOYWikHns3",
        "alCtRd225CtuhZ4MbdG",
        "pLceTcLWbI",
        "GetPublicKeyToken",
        "q5bOKH5UUL8dnhFL8kN",
        "[L.a(:&\\",
        "J{;W~T",
        "BolM4xGYzIMVJSxP9FHX",
        "ARkl5fgmcU2qCfAQ2m",
        "IFileTransfer",
        "SUDf@",
        "EiLPObGmZ0EknEuDhCK0",
        "nZZRM1AqXo",
        "-mbst",
        "XI3\"~q",
        "d9T43PhrgAlBr8WIs8U",
        "aqQMqyGb3YTGBMfNWGYw",
        "set_MinimumSize",
        "gCZfpPGZXe4T2wkOQ1bE",
        "K!AE<",
        "P+F24@f",
        "dwDKqSAyU5RTFKjqlTX",
        "M84UjxWCx6HWu02xTsn",
        "ToolStripDropDownBackground",
        "RM}k+",
        "NewsViewerPage",
        "SRbJyBWPQA",
        "TabControlEventHandler",
        "fJn8McGECTYyojQ46EWY",
        "XiLZFydGiBeX97NMl5p",
        "csjL0AMnEsbR9pD2Ld",
        "Ps/q2",
        "rGEnrKYiIK",
        "Blpx3xGGh6HfygodTrYe",
        "K1kuJQGeHcybbH3JI7tK",
        ">McU>",
        "uJgCvHp1HCuf5Ok5M01",
        "HwNPDdGNc3rmKu7d175R",
        "qAtFgPGyV0Eabk9wJxbJ",
        ";a[+b_5z",
        "c1myC0BOxO",
        "get_Size",
        "tosTKMaOovyHk8qKyJJ",
        "p>*[M",
        "hnaHLFENUeL5Ql0AQ3a",
        "_<ceY",
        "AssemblyTitleAttribute",
        "set_HotTracking",
        "M.W{_",
        "O5uyXKtjlFxeFd9oRcv",
        "_Lambda$__29",
        "rVNTl8MQuOYI9IUnCc3",
        "mfK?+",
        "egwBlqG3kOTjGNqlO0Zr",
        "Dispose",
        "gR8GJWGRDR18NKrKmLQV",
        "Keh20XHtpkLou5uajlM",
        "vI30mBVHaO",
        "ADCrNCEsZc",
        "h{NG#]",
        "+DUfGk[3",
        "XDrSIkDjPs",
        "&t<hz",
        "o\\Dz ",
        "lHjHZwGXgdds37lH5Ige",
        "ComponentResourceManager",
        "oNRxIBGKTJggnWIP5e0a",
        "label_4",
        "P392hdGVRlAI1QkjR0yy",
        "B8RCQ85ZE2",
        "e4C[J;F",
        "R|Sjm'|K",
        "Y^Y|9",
        "OuiFkR7ePiWJSJuIfWP",
        "Vft8swZXais1ExuQX9W",
        "method_22",
        "OgcQDELXFm",
        "M;::M",
        "serverFileName",
        "wE9OcxD6Yo",
        "e9%&7",
        "int_10",
        "SortedList",
        "x{8b1G",
        "Xs3iKQ28lv",
        "H)^\\1<",
        "R9Yjc384MU",
        "GOkDmLRZ8M9ASfmyE4N",
        "get_CurrentDirectory",
        "WZedrCtPek",
        "FRfQEKG8r88RFMWnkb1Y",
        ",!%9#",
        "5xxDP![",
        "MP\\cn",
        "FKnECdtN5Rwg0Wm2aFo",
        "P5Cu.p9",
        "ReadBytes",
        "N|%{`",
        "HXqJhUGCsPWgSpD1Skfk",
        "AK11IbJIc28KEWXBlLk",
        "s8fYRsA9tE",
        ">q|Vx",
        "N5rcUVI67o7R5A4RiSp",
        "jHGYh",
        "hr}%Q",
        "OL)lw",
        "7bxMiR",
        ",nJrm",
        "gEZoSsDVoRQOgLW8ScP",
        "ED7otfBykR",
        "NA4dyaSWNlOkmIBVH52",
        "set_FileName",
        "wiQDZ5OmQ9",
        "yO1ULAGCPTWZFdJuaR2q",
        "aPUprVJeLWqrrSo2U7n",
        "TJpYCgwGt5m4puKTjiT",
        "fljWC13WMS7D3daqLoP",
        "get_GUID",
        "dgUCI1GLAZn404uOrtyG",
        "txeYv8nR0u",
        "ServerSettings",
        "VRewGCgOGf",
        "ASBTrG5HS1",
        "HB'R_",
        "SplitContainer2",
        "set_DropShadowEnabled",
        "l4a16wGRoh0x490yB7Xe",
        "SaAOhXUymB",
        "/m<VOX#}",
        "wAKxssJkLO",
        "gPRe2n2N0mXT6h0KFCH",
        "yRURrklx5k",
        "jmcqXNttwo",
        "get_Question",
        "W6nQl0FSa1BYpPjyN7T",
        "R4QSm8YmJ8",
        "s3sg8Gem9SUPtg3JNSv",
        "SystemPens",
        "w__j5",
        "pIDMiBMkTt431E6h8Fa",
        "SQqxvAJ9xS",
        "SnFLodz48nO44KFCcgn",
        "\"lu#5",
        "kXfvV",
        "gMafoZJDVF",
        "0'^YK",
        "mq#tL0)",
        "hoTjjiX6MD",
        "0J)D#",
        "get_Alt",
        "FB4J90N",
        "Reserved",
        "VyHPNotHkgWSerkgqtP",
        "eEG,f",
        "jmkA4CYFyj",
        "Uw7OkZJHC",
        "W7mNdTdHfMRaKbiNpXy",
        "object_0",
        "YhAwntG4DeUPfluAPmgZ",
        "ANHnE6lRf56Ers94ZwJ",
        "l80RD3wm3q6l3hCNjru",
        "UriKind",
        "S23wXVxgD6IG8EriyCq",
        "u`_n\"C",
        "SizeOf",
        "Conversions",
        "aGgj7uIdm9",
        "auLavg957nWF8Vx6Hfs",
        "U4i7XlG48CLZOikiMqq2",
        "N!oE`1",
        "!q+MJ",
        "DemJUly05",
        "nnaQy",
        "a5mb2vGmTmYm1yO68ByL",
        "nb[3P",
        "Hkho4m1EZVMjuH8IRi3",
        "PMYKGLd48bMPU5pPo8F",
        "AYFqRNBJpx9bsMVyPww",
        "`J&+NT %",
        "NDDBN",
        "r25M8D5yxwlIybgHpl8",
        "System.Threading",
        "u05x9jHVro",
        "imageName",
        "B6gJTgDbeM",
        "xPbD4xNKBW",
        "HnVXWJDC5NX9XAaXTyN",
        "VolAvamBnaoLdiiJEaO",
        "mGp2SV9xCQpA9K3hexP",
        "pE4qMA",
        "DBF4Zgb7YH8uHua8Phe",
        "Uh3jBKCbqr",
        "AXs1P5YfQ2",
        "p2AdCNGP4JhArIESKE2L",
        "set_FormattingEnabled",
        "ttKl3uvEd070a47TUmg",
        "AmS0aSGXwlYAccSQOQHl",
        "gdW06F3foj2O3lyMTfD",
        "Microsoft.VisualBasic",
        "QdopgtPUe5eJJ1BAu3I",
        "AppDomain",
        ".6%H,",
        "xeSivYgdfKfTVKqlm3Z",
        "v&4hF2",
        "RAsmOEfQ53A5HmBNt97",
        "hkFTqhbpv86tF92NQIm",
        "l5FwlSiaZKMQrMNF5JZ",
        "xEuXqUGbVXFgaRplLWVD",
        "dNjD6um3epLUwJYIJBy",
        "5j)^T",
        "oHCJk]",
        "LUeJV",
        "2=II7",
        "obW6QGe3gdx7LMTbOw",
        "DN2YO7SH2PLTqWXbcqO",
        "3System.Resources.Tools.StronglyTypedResourceBuilder",
        "set_Renderer",
        "IUy6WcDSIYbaLilPBjN",
        "HQP\"b",
        "lqLb3rKtgssVne67Rb",
        "krbABOXPYDehGJRq5Lm",
        "get_CategoryName",
        "Hashtable",
        "ehBEi3G8tC87TiFOf4VW",
        "wpAO5QGhGTlNNN3vR0ei",
        "jSOreNGyxW3T0E7AQtTv",
        "RCwY0egRW9OQfU9p94D",
        "nrrPqFGbaefx2mHXFRDR",
        "nu100lld2k",
        "yD6j8vGYTsAYX6FL8NUK",
        "-Q~[}",
        "GClass17",
        "oHhQ7LDjDIPZsjp2m2D",
        "viOebsUh2RkdQJSxdQv",
        "pHJANIGnBuZVmnyyG6Sa",
        "KGGjKcGCnTVVdmg7bk17",
        "OQxx4PGE7XK9ObaeN0HT",
        "W6(7F",
        "cDmQbHaLhP",
        "wddJkv4vJDw0v1dDB9V",
        "XSZQNhLX9y",
        "cs3UIHvyKEGTc86tLq",
        "get_Columns",
        "op_Inequality",
        "OgIKmN2l4I2F8vOZNe",
        "JY1PyqGlXF6h4LPDkNE5",
        "FD~*\\",
        "(D+m}",
        "Details",
        "pr4eN",
        "LinkLabelLinkClickedEventArgs",
        "NZE02iXUFs",
        "Kc%<q",
        "get_Time",
        "TcD579btCer99Powmss",
        "ImageList3",
        "DFYp92GroLZ7rrcUBgwD",
        "qfEOrKw502",
        "m'Ym'.",
        "UIaei5DU2uBV0QPD0W7",
        "WUKCPsyibF",
        "P8>qg",
        "HjXsOcYVgOEF8xHlbkK",
        "yuxlfbA1EkgQaI8eqFj",
        "EYUO2yokon",
        "textBox_3",
        "cVTpm8GZWI7ybjxjSsYl",
        "y1PdLDknZEkKJcoLODq",
        "&dX[na",
        "T=S[~DXv#",
        "}\\E)Q",
        "Whd0LGWXqb",
        "DVTAnxpHUo",
        "zGBt187r2y4qgu9xJOf",
        "AwJve8GbLYGQdeEt5Gfe",
        "zDME0h4augdSZChFKQy",
        "ReadString",
        "JW B_;",
        "O8wxY8n0Tx",
        "}d\"&y=-",
        "Client",
        "qeaI7DGgnQNaOAleHdjW",
        "zIVUrP1zqIgx4fvs66X",
        "aTbpH6lKMvqsFMtrofE",
        "Object",
        ":u=-n",
        "get_CheckState",
        "F6EGLfeOK74Oojqn0ns",
        "Ateey0G3rLCGiXeRurAx",
        "gJGdBYM9BQN4NEk2LAk",
        "a6LAdJZHtb60y5LlSMo",
        "get_UseCompatibleTextRendering",
        "yvrCNXZV4S",
        "get_Message",
        "wanvryStSw",
        "vuRR5v1pOuX3jGj8uKe",
        "kVX0Q6OWcjO8YSEkcFe",
        "cU4e5lDFR2fPOf9ZNDF",
        "GClass11",
        "Ccq1GDSdCb",
        "Fqm0E2Si1L",
        "%/lTE",
        "NwHa5TrIryQUdmjG58y",
        "VJmwm5x6Gl",
        "d7I7F1xC16c1QyFK6pb",
        "set_DoubleBuffered",
        "x+rE6a^",
        "7erY!",
        "z9rdYwE8uiVAN36MFkP",
        "zFD6cEGrloc2W43USDxG",
        "int_2",
        "GBtf%",
        "t5sfDdsEJCamMdLmxLM",
        "nHDCwsGhgyEMT9Qbto9S",
        "add_Opening",
        "Concat",
        "UELhauGnm9mtERA44CWd",
        "EUrTghhM9B",
        "GetInterfaces",
        "f`tfM",
        "SIhTLfpH3Iw1XrQN5hs",
        "znPN5c7RWk",
        ".igM{",
        "FYtr0rG23SJhl2i1Efd",
        "jnGtepGfWMr8yGTSHgbJ",
        "ExipbJL97cuW3uI3GdN",
        "d_/T6",
        "lvbHJWdXnr2YuxdyBh0",
        "tVWYKTQxba",
        "_Lambda$__28",
        "qMkHSD9Ef2G0bW4WR9E",
        "N=GLP",
        "set_TextImageRelation",
        "nVYvwZJ5VV",
        "MrJDchTIOuVPMThBqdV",
        "fYNMBn",
        "zR+kw",
        "?CfZR@",
        "DytDwQGEMV0O1LetWcXI",
        "jDDtuvGbqvt6UVIlFGwK",
        "Y:`F{L3T<",
        "Wd/sN`>",
        "PKHGrh4DpDtXWLqJykU",
        "XPAYecpYf4IrDqM3GAY",
        "{DivvI",
        "tqaCkoGX7KFrFKNdRL3U",
        "GiM0KoGMl0GitNIbTaOp",
        "THJCocgM7l",
        "yj858HHxo8K4ykB1VCl",
        "R 6X|",
        "eTfT'*",
        "0Sy_M",
        "LdYRvljF04",
        ";@4{L",
        "set_X",
        "EmbeddedPluginsPage",
        "ToBase64String",
        "IIJNS7GRwQP75YkqevGx",
        "set_AutoEllipsis",
        "&$(9K",
        "AddRange",
        "LoadLibrary",
        "DrawArc",
        "SYNTAC7bUv",
        "ko4JJpyoEf",
        "DF5Kv9z9Pa0HTtnqMDV",
        "CancelFileTransfer",
        "set_SmallImageList",
        ":c21w",
        "LL7wPRMY2L",
        "'6Ia/X",
        ".6~=\"",
        "xL323",
        "mH4q2ehsHF",
        "3r8y6",
        "KFueWb7FgtdJdc13O2K",
        "toH5QqGKLJRqr2lxkmCH",
        "AAHel",
        "lFWw8vGMNOS3sjhw6baT",
        "`4 BW",
        "jd0QXZTaHGuMuZyJn4A",
        "CheckState",
        "_Lambda$__63",
        "htmr3SPt6m0dqSo2XnE",
        "xX5FmYbVEW8vTQqYDRT",
        "|d9zhtW`",
        "lRNdp6gqog6HX9PIjkw",
        "=/KLf",
        "method_23",
        "e'z&5",
        "AtIK6xmJpMh1Gt65RI1",
        "button_1",
        "VGtRxbHMZUUuF6biEKk",
        "_Lambda$__18",
        "AppendText",
        "daLDYZt4lS",
        "5Y[/[",
        "nlteNlMVh2",
        "nQB5EVR5DrO8dYHp5la",
        "xMHF0ohbEQdGnmBqWdO",
        "MgeLIhpv4oHpYwQJQwG",
        "BogNDcf9SSBguqVQD3s",
        "get_Port",
        "CvEOWaGecbDu1h9tCBk8",
        "ghl2IN",
        "ApplyTheme",
        "0<Uh7",
        "A8IfZgEf3RYajGrPBO",
        "<y{Te",
        "f\\ 1z",
        "w*6H:",
        "ejIOJmlNedSi09Lwh9Y",
        "Tm-?B",
        "ShutdownEventHandler",
        "qjcEjnGkfCsTG4A7sBhR",
        "AllocCoTaskMem",
        "oZpnnWhmGy",
        "l/e~F",
        "_;`{/",
        "k236qZVtw5",
        "idnTp7FAnY0YRwPJty3",
        "c5UwnBh5gFYXBxjXtfl",
        "I0GC30GKYH69pR3yurOs",
        "VWrIpIGfcpAtKGKs00ZW",
        "LxJ3QPJnuk2rVlcfCoN",
        ")0f<k@)",
        "Kn3TlAQr7L",
        "RmidmPuui5",
        "F1xDHqMSHOBmtAWxxVk",
        "remove_Click",
        "OZfPdAlQcOmhuqShOCj",
        "AkENWKhIcPu2hVttIOc",
        "AnvsC2YYYdnYeFwS88",
        "|OJ w",
        "Zak_qV",
        "zCGGdvawmqkeNiyXEdy",
        "yayNAUUkUjX57e3xVGV",
        "PTdDCqAJ6jDNIZe9tHh",
        "pu#Mnf",
        "<t|S3",
        ")kG4MU",
        "YAvqN2lA99",
        "RatingControl1",
        "zATBSsprtF",
        "XkfhfPIVPvBII64eh5t",
        "ARcAEBLUR9vRpY4RP2B",
        "            If you want to utilize File and Registry Virtualization for backward ",
        "Label25",
        "MBcv%H",
        "d92bHpjgVY56l8MbIKr",
        "QNEChpRlFbQpaXHoGUG",
        "get_ParameterType",
        "KBqqYGIiytV168B5a1r",
        "r9$)I(S^|2",
        "EGEKkHe4UHRVYJB9BOC",
        ">W?Ng",
        "JBRbGbGy8FXke86KSelU",
        "dYVBQKl0Dt",
        "EDOeMdpFGFwQHM7CwXm",
        "gcontrol8_1",
        "doo04kIvnfKm2IHEWhA",
        ";hq&F",
        "y &aE",
        "hX8fnDsPJ3AliLFjpO0",
        "EF3YykTKuFiS4e0dgrE",
        "L8oy,",
        "K0m7HqMihrNYpNmXC8D",
        "qIe9dfm1XQwuJ1FXVMB",
        "hRunN0HbOQ",
        "EwY6c9VWfrm4vUqCquy",
        "RevJhjGEXpdg51qt8hrX",
        "L:58\"L",
        "}6J.E",
        "YB0d3ELpoT",
        "fwb:,",
        "eIlHoRzd6TTZxiUiTiV",
        "PIcbeR55jrEdamT6e8r",
        "actions",
        "HOoHIhv49oPW6qRwyBt",
        "CreateDirectory",
        "N5enMI98X5",
        "    <security>",
        "obTeBnaC99",
        "ZD&Au^",
        "rCcvqwenn7VjDaQ5Yv",
        "kD0e0iBVkd",
        "mcOOQJGfLLg8qei1i9eD",
        "sdgrf9Gy3CLaZHReOeuR",
        "aCwDXgmQWOg1liPt3ZI",
        "xHBDPxbJRXHYDCfhJPR",
        "1<pB|",
        "LocalMachine",
        "cWrDt6aYE1HsW0pF9fD",
        "AyLu4LekuxRc7divCGI",
        "iHVocG6NRj",
        "OUDeOpTFLT",
        "4r,fs",
        "HIOdYoGKpWPDbSqZK945",
        "WaitForExit",
        "VUnk|",
        "h1L}r",
        "vW2L1PDT3hOZLgq5ZET",
        "eo68PuGh5f4CWpp6MTs5",
        "xs9JRS2jUp",
        "A78xLDSiY2",
        "EaWl7GbT9B",
        "c|ubS",
        "XXYqfUaDfetqIj4gJjp",
        "5+525",
        "GetRuntimeTypeHandleFromMetadataToken",
        "bFU|j-i",
        "Q5p69aX54X",
        "A6JCmwjmUvysiVo8eOT",
        "eCaeavGeUOataJQePLFs",
        "p3GO3Dl9LE",
        "ePOhAn2ZLR8WwY7SldE",
        "xY5oWZv2Fv",
        "9*XUcU",
        "AL6cZqGhXmknWH2CyinB",
        "LXo6aTcxjooSNXiqvED",
        "AddHours",
        "RoWRwnHTI8",
        "Hhhlk4GL8pBvLNAlFpdE",
        "-hbe*8g",
        "6q3wC",
        "X6mntmkfNy",
        "),ejui",
        "5hDCR",
        "=,Md[",
        "cfdlBoKdf0NcMPZTBIe",
        "CM0h9HqzmpPRrkJREVj",
        "tQNKPvUzjrjud2leB9K",
        "Ds5nbyrwMAOnBCKV92n",
        "BR5rvvGarPPlgCbSQh5",
        "Rfc4RaSpSWtq19Yh5JK",
        "xcFyjBNhHWjAsNZrQ31",
        "kALTjlS3DI",
        "jJffVfGe3059j4NCI7si",
        "      <requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\">",
        "p_uF(",
        "acAdcaY3gq",
        "kwLhjudAjEklkSmnTto",
        "gCe&z",
        "acXAGEpg8Y",
        "i8!)d|4",
        "AHfwQ3ZM41mxMvjmMls",
        "mLDycJGAur1vIqdZAZer",
        "ReadSingle",
        "zP+M ",
        "X0h3BjIxLhTyxF2xJ28",
        "VFyXX0GhBiInpnTZIQIh",
        "GControl2",
        "8r\\aB0v",
        "WUGd9NuUTVnnsJxeRoM",
        "GDelegate0",
        "sgN1g2QkUn",
        "OnMouseMove",
        "System.Configuration",
        "|j'C8",
        "Im@;xKM",
        "gVQrJ9GLOZryitUFOG8X",
        "Sj4FoZLiy6fGBbX9Ywt",
        "~psE:\\t!",
        "MAxkifGnppHPkVOW6a1Q",
        "shell32.dll",
        "uCAd1",
        "UrE8ub50hsrvb13xkHc",
        "B2SOII9J7V",
        "XJHlMnrH9Z",
        "AddLine",
        "TableExists",
        "kqGsqG8ce1GScr7Bor4",
        "ZRd`S",
        "set_Result",
        "ky3[W",
        "aN8VCTpSMfKHyWyPBA",
        ",tqpu",
        "v2g5ZhYxV8dTt5IwjbT",
        "          name=\"Microsoft.Windows.Common-Controls\"",
        " 1B.7",
        "YdWDQ1GPmmyBYC7v69cY",
        "Panel1",
        "SuCFOoGGfTg639LUMnp7",
        "NUBibhG4U55jiD9AkpXE",
        "X5Db9CGkCBoDO9NwqJPv",
        "01qBWj&",
        "dJfWdsGwbSFvlionwTXj",
        "NZGOV",
        "!>m~^",
        "Xq586yGGNLKVTtFewPcN",
        "auwL0mfUPVp21vqqdX4",
        "A] zBaW",
        "LegalNoticeForm",
        "K\"rUo",
        "aupBk?",
        "NyxZNmejpW07UdmLCTZ",
        "lg@Ij",
        "5z)CJ",
        "RGZ3S5JrDsMYwEG2dRU",
        "kVOCHCNuSBQnCleUtlL",
        "QjgBrBAmx8DandYs892",
        "qGZvxFOLQjRw5QN8SHR",
        "set_AutoClose",
        "G4jBe5loca8yb8nn21u",
        "KhZbc1GVcVS1pBw8rpuf",
        "set_FormBorderStyle",
        "NA3mQoWxJBBlyaWB2Mg",
        "SSwZsAGhwP8uGH9M5EH7",
        "IrSUmkngkHwSoyLWL6r",
        "O. Ulg",
        "J0yRx7GAyO53BdryIIkn",
        "rpFVD3N0SFlwAuYRmCo",
        "u]\"N9",
        "RxvtMfSgPEnOnFNTD6f",
        "npsU4Bu0JXAOV49POyP",
        "jjMicgPgx4HlFk2rbYF",
        "KUcqFNAiQPHXgxVEVHL",
        "g^JUj\\.",
        "LicenseType",
        "H+mGy",
        "HtnkngNpFnfp2JNUTK4",
        "Wuw1o9Rw2fH3J3KGiJR",
        "lGNbTDFoINFyuMi6VBG",
        "Wr`yD",
        "lnQJVkiP1O",
        "Aj90OnOdiP",
        "GCyDmGvyEY",
        "Gic4Hfsy4Wbbm6nVaJD",
        "Fvk166b95S",
        "Kja6hcGGva8bgFQYSC5T",
        "W00qStNSxq",
        "mUwldiJtmA",
        "rXmbZ3Gg0YQys1PWW1xm",
        "MeasureString",
        "%zS>f",
        "WriteAllBytes",
        "fY84rG40jWchUsPNyDH",
        "Qfd3LCG3ucVHwmq2P0OT",
        "Ye8hDvGAwE9Mkf535rE3",
        "R>&;M",
        "Ebk3%",
        "E7pqWROwSErULPRFn1e",
        "aBJHFhWF673DXirHL0w",
        "SsjORnGLTYwL8jOH7tpJ",
        "zEhK[",
        "ksuAFqsBHG",
        "Y7KdQvUI4D",
        "l3YRA7UQYnsoZNwK5w6",
        "hDg7)",
        "KnV59nxlxD",
        "aPEWw6GnzfraVbiIIKmY",
        "Xjsi|",
        "lBpr4e6q2C",
        "PymoKxc9HxORywTVP05",
        "_Lambda$__26",
        "ReadChar",
        "MZYbH6QLucSDBJybjfv",
        "GJdPAyXkPhMmax2j2ot",
        "GKVekSpdoKUR0Ap229i",
        "e39qK0cywZSm3pPMKgI",
        "get_FileSize",
        "query",
        "CS~UNI@",
        "=|#zDXQ",
        "P7AY0hPH180lCS9mwv3",
        "tabControlCancelEventArgs_0",
        "gayjdsshb8ZyOTrLyqa",
        "SUrmc",
        "BHGbaATxHQZUaBI8RtG",
        "j4HbQX7v0u67minKnsF",
        "07lmS",
        "evXSngyoOE",
        "nvO2Ea25RGAgad16O3f",
        "FgRKnkP2OnOubP1marY",
        "G>Lnav",
        "spQWaUR385lKOHOe7Sw",
        "remove_MouseEnter",
        "set_State",
        "QkVIhEGgfAlS6YuYOIJT",
        "<VnRIaht%",
        "#Blop",
        "pCg8pgbyja9u725jX30",
        "TTCN7Dn4YnCMXfaSrN0",
        "YwnW376myTPIdpuRqwa",
        "V6{$I",
        "dL>[:",
        "gseOtsGGKgRif8v8s1xW",
        "gLlNVKrJKZ",
        "/Tgz>",
        "y6 *\"",
        "dOjU0WH94pk80ypAxfr",
        "QArA8rnXHXDIOZCkvLY",
        "aaLbXcMqgi",
        "| (c'",
        "get_CurrentValue",
        "j6O+e6",
        "uG9563GgV8myWuucCJXK",
        "K14sfUb",
        "Q6S2ZKTTonenJ73ag1e",
        "Bwtbr4G4wMyxlWBQXmXe",
        "C2bZ>",
        "Ua<yl",
        "PluginUninstalling",
        "sh63h4BhaTrrO2Yb50h",
        "ADWLXXGMVqBFkW4qGQVJ",
        "POXJMQGxyv",
        "0@fl|",
        "VGxAtCGKxQHXWE1sUkNA",
        "!ENakP",
        "E8HYrUD2Ll2YTiNJjuO",
        "CfiOsrOGy5t8IHaJ8em",
        "q9A93c948H0Ih2cnkNC",
        "ET204e1L3",
        "SocketType",
        ".}f!.a>",
        "U0q9b",
        "hsmSlEGZsfMXRUuN4JBq",
        "nS2hLyXk0Y",
        "Bkd14I3TkfVxajq4EqJ",
        "F851VmW524brfIMDTtY",
        "Mim8vRS1BkXN0ge2PlU",
        "GjZtjMGlNAxkA7DkBRLG",
        "LEobht2Uod5nItM9tBD",
        "Ig0NCIwtRT",
        "ysNoruZOgt",
        "-D2o%`p",
        "OuiL[",
        "yFcZTbs",
        "VpMAvTGn6a",
        "L,<^d",
        "R\"9B.",
        "fkga0OqainpjFnQlZJH",
        "7M7h7",
        "O4U>c",
        "g4Vja5lEiO",
        "Ah15al1M6VD2HtyaDYy",
        "NECou2LS5iL3ixAxrx",
        "4tXmk",
        "method_54",
        "P7RXy5yukg8NAPLsJ9d",
        "Y0Y8fORYcrh2OxNKMl1",
        "TYnD97GAUsmmG2sHJRX4",
        "urWCeh3KTCkRByHcOMp",
        "UpdateWidgetAnimations",
        "set_TabIndex",
        "get_Left",
        "XNrm2OGfAwrZ8tLC2p1O",
        "CommunityPollWidget",
        "SH0rRlAqH8xL892efMY",
        "        <requestedExecutionLevel  level=\"highestAvailable\" uiAccess=\"false\" />",
        "v3ywCXOK5q",
        ")6)P)c)s)",
        "X]J'V#",
        "_Lambda$__3",
        "X6G6.",
        "AX)f0L",
        "HuEM41qQFxrYCfQr7Lj",
        "JotlMU1cQT3vB0BvuME",
        "DpbBU7yOv0",
        "pDJrCfcUn1",
        "J10RGtGApuapd3HhT59q",
        "1f&w6v",
        "/}o:P",
        "5.78H",
        "STAThreadAttribute",
        "Cihu4iJsIYNYDRmQNYT",
        "\\DZtb",
        "XJxnV943hMYtxe21J3P",
        "Ln8sYPGEFa7sfPNnySY1",
        "KICAx2Dnlj",
        "xh9rTQGbufyVTXUQgQdT",
        "kXhyVgGgYOStyccMRCwS",
        "color_1",
        "nl5OXN4ble6H5pcmV3j",
        "WYQov9WaBK",
        "KBpBXrNbo9Cha5OyYFR",
        "WriteInt32",
        "Vlm8ZtaKmgiPe7EoSN",
        "j]0\"!T",
        "FormStartPosition",
        "A5EEy7KncucuTJDtqgs",
        "EditorBrowsableState",
        "L tC|",
        "uSmwx4TWyEsNDthPUD2",
        "a8xZ9QGf2o3SNyORptS3",
        "set_TransparentColor",
        "StrongNameSignatureVerificationEx",
        "Obw6gXpxvH",
        "|xI_K",
        "Ik#F_",
        "FoDOexQqgh4Q9T4K3Js",
        "list_0",
        "kbXNgKYa2roM6NyWibu",
        "get_SaveMySettingsOnExit",
        "F^6$m",
        "n3rgDwGXafkkcx5gouJr",
        "ec3U9wu2fsVZUr6Lj20",
        "6GqPb",
        "GClass0",
        "Bitmap",
        "aGWUhgS8iNnqJsra3bE",
        "pSsQdFbvdRwJPQfsMn3",
        "UxNwZnGLh6Auq9Ar73ID",
        "^{mYM",
        "g6-B)",
        "%Jyfl",
        "}MEo<",
        "RemoveListener",
        "__StaticArrayInitTypeSize=32",
        "wKy `",
        "RwXZKpq1sORMZx8TsQA",
        "_Lambda$__31",
        "HEpOZbhxJXAB2d1IDJW",
        "SO0YqqGr9CWruhT1T5ku",
        "2Z'YlS",
        "aFAS1pY6C7H4rlXvIoC",
        "get_Direction",
        "h&nsI",
        "dBt5kAls1O",
        "YVtbUhmEGQ",
        "JR885VrATYtfMuyBCgI",
        "GYnqK",
        "\\,I%R",
        "Clear",
        "qL9v6GywVtJdNaxDFvo",
        "O3By5n6KtG",
        "kuVVkwGZFqYy6yyqcjKG",
        "dw3RO2msFf0gfR6op7i",
        "ClientVariableChanged",
        "Platinum",
        "z,Ad\"",
        "IeZdjtKfkyS4WoFPFNE",
        "pXR48mG8DBhl32k1ZBwb",
        "w#,TH%",
        "XVAeFNmRLc",
        "Rq4HYZGIi906Wy7cyBbv",
        "nlIE3jjDx4ZlID9N12U",
        "nkDknqKDaJ13NCe3mwM",
        "ipaddress_1",
        "title",
        "oM6s8qGbsqSgdrdqSpZ3",
        "ComVisibleAttribute",
        "W?alM",
        "bsnQX",
        "TwMGl[>@",
        "pipeName",
        "jBnJxyeTj3",
        "kg 7f",
        "osS1K8ZFLbZRF8nwe8Z",
        "h8uWJru82T4dOgP3Ztx",
        "PsWUwHgPxY7e91VBKJm",
        "LinearGradientBrush",
        "gclass17_0",
        "vikUVQcm2k9mkjlETk7",
        "PmMoh4XJ1pAIHV0UdZQ",
        "sCYwGBt5OS94cBqEqWw",
        "{tzNX",
        "VirtualProtect",
        "P*'Z6",
        "AQGt8bkdlDiq5LoEUZp",
        "rl75BSGCYqUIPNvqVafl",
        "r|F?qa{",
        "a41RYqG3G9OsjAdRbF5K",
        "R7hbvuHFRvNwKmmoD1X",
        "erCXymGRL5uWhmcKYv6d",
        "j^0pu",
        "0sPY,b!",
        "fBbAARTcL0",
        "gKMhiwBd6U",
        "yhoatyGCG4kyc5d2jV8T",
        "ConnectDone",
        "PisZJDGAl9twe7IDUpCV",
        "GetRuntimeFieldHandleFromMetadataToken",
        "o0UNtU9suS6JJDZpGGk",
        "xApI1B27l417PdBiVDN",
        "yRWWZ7UORlYpT6i5MLu",
        "L2IqtSGAXJq52mkuwcDJ",
        "HIxTl65Jp4TIC5kGVYR",
        "JO6u8xGLLdnrOtnG8R0x",
        "g9bXi8VE3noJlP0lj1t",
        "ClearProjectError",
        "k0gnJeG4y8d0Hhu1SsU6",
        "set_HideSelection",
        "f0oOWOs343",
        "CornerLayoutControl1",
        "ColumnWidthChangingEventArgs",
        "JHN1qmtAnMd2D3T5U4M",
        "DwmOjBwHiS",
        "NTCDqu82989XfsvTKBW",
        "OM/CL&",
        "B}T%}",
        "OpenProcess",
        "M]IDEO",
        "#>bHi",
        ":JKq![>",
        "i9T3D8GCzVqqGuvCM1QI",
        "dRMnJSGlvZC523cOhRJX",
        "i9YtgicQ7ov6pNaeiDc",
        "nkZUOVGyTQHkc8UxGPnr",
        "s9cvLMGyCEJYXB3A2Fq",
        "EaWM+2r",
        "^d\"9+",
        "wBvhtUfRMM",
        "ListViewItemCollection",
        "Count",
        "aBkBF6GYxmARxSTV7uQI",
        "M20lEf4cVHOCmIdncVA",
        "iS5MdyVOmOJSmpwPkMv",
        "get_Cursor",
        "x1bhedPAUM9JAZtDtA2",
        "MQaN0s8hU5eJ74F5A0d",
        "Jy35SZ23uGKmgeS9Of0",
        "nu}r,\"",
        "jYwlgTKLy6aLqVo12l5",
        "Sa0nXKGgm326cGeKB9bc",
        "(\\=A@",
        "5?bF!",
        "adpcbaKIxhBTuUbMQ8P",
        "get_ID",
        "gclass27_0",
        "QpaUbcsztWuNXjI2ah1",
        "WtBRKq9qM6UnCnCpVAV",
        "set_Width",
        "c6VEIiGbHwX2PFOhZRqo",
        "QNw!\"u",
        "JkZWGyrNmIvRqmBHTtN",
        "TextBoxBase",
        "byte_0",
        "u60BD2G8mpRhNxjxTXaM",
        "4Ct]&L",
        "m1ACr6gCdi",
        "V+Nk@9",
        "p{n1!aQA8",
        "{6?[t",
        "=h<wcM",
        "WHGRUqi409yWbnJkNHw",
        "TEr1BVMobL",
        "pkoixHaAjIEphIwNV4I",
        "mPgCNr1je",
        "mRWJc07twYPM9BwBuBF",
        "Dp_k1",
        "sh92rYTGm22FCeuh0Rm",
        ">s`.;<82W",
        ")\"+.'B0^w",
        "3qr-.",
        "oNSMclyJejspVUMmGTP",
        "f!1h7",
        "eAwpOcGA1opmbKGXRPUr",
        "lLBXHvXZgF6T0EMctYj",
        "U8ixGAGNkTQ2ImXTcxrj",
        "&^.pt",
        "AX;Us",
        "ci9Gm1k0u0cn2XnsfUI",
        "BaqmrgPzdMsSuBvkGdD",
        "fOEKK7EWMrm6aBx1mmZ",
        "%<uTa",
        "mZ2Zxybwccp613UeS2V",
        "KLPKRtnGni6R8nBmWmy",
        "CreatePipe",
        "2:fGJ",
        "zMPVW1GYBySPlkNx139m",
        "ToastNotification",
        "fy2C[",
        "g4NsAqGwmkvPav7hTCy8",
        "FromHtml",
        "iKLvksKE7cY0gBt2xn1",
        "J7REV9yj5q0KrNo6yv3",
        "TdM75saouNJiPAeFR3K",
        "%Je+r",
        "OoW6c2GNxUapvLs5UhM2",
        "~U}ST",
        "BottomLeft",
        "Nk3ktF1LkdTITsekFeF",
        "KXE9NKiSXeIKAF8CLPA",
        "afoE+",
        "w@QNsG|",
        "I4YvsRR1eA",
        "RqjXAPnmikstjLkPdrs",
        "BNOyRjphs3ewpyNoyjJ",
        "eEHCgCQAv13yy2OyYsi",
        "uJMZXpeZ79tumhDEvEi",
        "remove_Tick",
        "fileName",
        "yFh6xvAjoK",
        "InitializeArray",
        "wpMtm7GCZjuagvBGnH1s",
        "dQu3DSMIY4EJWJCtRJU",
        "-~8uOR",
        "JjFDuY0CwY",
        "xAi0cVNRLM",
        "BYBnfZSZXZ5B2ADofcf",
        "HkoP7ImogB8JD04B0hG",
        "aIKy0LFeDN",
        "LYtk0h1jTawSt0Fi9nV",
        "ucnCM0GZ25e6G3eO9Qie",
        "gheWIAGwxcr64ghfTR9R",
        "#D}Vew",
        "E7cfZwupk5uQQcPVtDk",
        "Ny86ZIPEvywc6shTqmf",
        "VdXYyR81ODZo6RIvTuC",
        ";-wa+",
        "0uf!&",
        ".#Gjj",
        "%V|r_",
        "|h@~dL",
        "nSdRVA2H8W",
        "e7VuFaUfLDfIgV6aTaF",
        "EacQAkGZdcI3CuCbWlyb",
        "DRATPi",
        "abtn19qOCBeuuYNUKNv",
        "UL0IAgWQpHin6dJ5T8i",
        "nOh1ZYEaZB",
        ":7Aip",
        "(.q?jZa",
        "4'yQ!",
        "BW1pEe1HdyHf5VNfdu0",
        "avU0OFH88bZPjKkEvsG",
        "NY`8G",
        "aKLh^I}",
        "kvBmA2Glga3k1ooNqoFw",
        "F+\"3o",
        "hI1yx14wfe",
        "qp4n8",
        "CnWlW5G8whnwDMi0GnL",
        "y5GGOkKWhTtfChwl9lu",
        "{11111-22222-40001-00002}",
        "mc3TfasC9Y",
        "FM5+0",
        "w9mXynGnQSt942qm0wUZ",
        "UserControl",
        "vc3NASlny4SK7NFdMTf",
        "YjDwFrNIFh",
        "eoo675Ik5j",
        "HO9XB",
        "ComputeHash",
        "ConnectAsync",
        "PbyplS4Y26IcQj8EjZ5",
        "widgetEntry",
        "C2SqNZ3qTy2qUHBlOkV",
        "RqSn38FfRC",
        "A8PTbaSF4b",
        "d2l4OXmR9q7Cphh0JIq",
        "tr2S4hPW5lpWttkP2Xi",
        "NrvvUGYZfyc5RQRF2nB",
        "pt9qsT7xMR",
        "\",X }",
        "Mxx^+0",
        "j9xVHKBOnXpXrXKwO8a",
        "aiJdvQqPBpSbJigmh3u",
        "w3bdH4SsDvSeA6cdcmj",
        "NEE08fXOYqkiTt1Yn1e",
        "pvoUVePjsKAeiW8JUPL",
        "vh3ukJiiagksFgnBW8b",
        "VWqxXfAM3dDu2wpZkHS",
        "\"MKoC",
        "get_StartupPath",
        "FdfoNJB106n5Q5KhYQS",
        "ce4DmfsmSrOT856tDgfrkMb",
        "AFoop7G41xo7OsvKMl7I",
        "RTHrPDml18",
        "Sw6b5GwsXy9UBL3vc1Y",
        "?y/KG",
        "XLPBOMGKv2ZIPdoBx1gm",
        "_Lambda$__59",
        "Xgw17s9Pmx",
        "NhUqmqoLlQ",
        "wG9SVFTFiaUlP5rfw4t",
        "FhN4FqGebvq0h2h9CMRg",
        "\\VJ={",
        "zKVhau44WQ",
        "toErdIdaIv",
        "DGFvDrLaP0CmdQXC8qC",
        "AZc56WIj1g",
        "No_v)",
        "-OsQ7C",
        "'aSw7",
        "z2nSk7Ob9pr1Z0f6cBV",
        "XGqKFrG8yi0Egw2iEnou",
        "RichTextBox",
        "SetRow",
        ".nf3~K",
        "fBug,(",
        "VYmYrdbS7PrjnrZbAgH",
        "AsyncCallback",
        "R9ofpSGVOWddX5eEnb2C",
        "xoeth4BHuvFUBu7v1eo",
        "PPj0if1YZhcK8nAJkm9",
        "<Module>",
        "hNqeCiNM5GpPOq7QJ2",
        ",4~I&",
        "X9eZOjB5MicYSkneFlf",
        "W>L9j",
        "8~a<;",
        "mL402HGnE1oGpob0I7gu",
        "ncoBgjNniOFVgEKo8c1",
        "gclass16_1",
        "RQl2MuVyDYTNX5cDHNH",
        "PHgrVCtBsjFyD9boem3",
        "Ukmlpd3CTrQq3s6w0Tk",
        "IccklMGEp8HomxxxqHOl",
        "  /N2",
        "twK9q0hOsS6PCADRrxs",
        "IClientNetwork",
        "+I2}=",
        "          processorArchitecture=\"*\"",
        "hMWAPpP253",
        "HERT82dmFPyaVYyF1pq",
        "6#o#z#",
        "tP7HCrGYlCQCjcc8R2WR",
        "mS\\Ps",
        "IsNullOrEmpty",
        "YQsHBXuVlXMWXZoNQAk",
        "G5Y1qjoyAc",
        "deaCYZGYXOJMkqQMdQmE",
        "YZGBJPl0TB",
        "p6HYqttSS1",
        "ugqDZ6osmpafiOBB1vJ",
        "XiT5NCiYQV",
        "I~iiDA",
        "TpQ0dxbHWA",
        "FillRectangle",
        "zfRnmpbCVLmqmUIpB3C",
        "aFIwUYGXUNg64ugfnc93",
        "khbR3HWn8lwqpaCKEuV",
        "GetConstructors",
        "VPiB~78#*",
        "RT5fcXgsX4pCr488vBG",
        "lLJDstgVQK9c1HMwNC3",
        "rp3CKc5ZBt",
        "set_Panel1Collapsed",
        "LpXtHMPNkI11bbtpSmt",
        "k<A!H.",
        "oyU59OyYln7Kj9Njbxp",
        "a8WJhU9jwUkjWwLHuEK",
        "?up1\\\"",
        "qfIGBU8YY6ulbeB11F",
        "Contains",
        "AddBuilderSettingEntry",
        "ycri60UUgm8j1K174m6",
        "ToInt16",
        "VTJNBwKiaU",
        "OnMouseDown",
        "wXDDSRe4cm",
        "z6wdO1tyopTry9foIka",
        "ThreadStaticAttribute",
        "n8Kqf:",
        "o6qZ1JHXvCb3BSPCm4L",
        "rGIi'f(<",
        "duZexRTXlYwxWsRSRYD",
        "SKgfrIX65jA75iaKfbx",
        "hwvcbcGfXmFFxgHKl9Qr",
        "method_28",
        "vnI8VNG8E90tslPIjsD",
        "SettingsBase",
        "u0xNuqdoRJ",
        "zyCYGC4wHuoR2Ji6I6q",
        "YW7l]",
        "O@`r?",
        "F7vKla9H5QI8ZjRDusF",
        "zfeoi6QsWSTDVAIaE9n",
        "sIT4OyGheB1B7euK9P5J",
        "WewD6bGG6Y23fmAC0E9f",
        "Label4",
        "APJjVHYHJYwAioP3QhN",
        "contextMenuStrip_2",
        "mnWbSwie7M",
        ";Bn2ER",
        "ContextClickedDelegate",
        "Application",
        "zqgEk07VLRPAi5JysDD",
        "method_25",
        "qrdjv6KFZI",
        "Z0d~&",
        "RemoveValue",
        "yafgf9YpAEHW8hr2jbJ",
        "Fsk2vVGejEutdHknoYDS",
        "gWUjqkGeohWUqXZoLUiu",
        "NumericUpDown8",
        "exception_0",
        "loD3y2GhOVwJ129MtwN3",
        "gh7YWgeVFP",
        "SlDBjuIRnp",
        "SfIewquSRNvicilJgC",
        "WLoUdjGERNR6QEiVXVtU",
        "FBaWjo7D47uQeUdGUZ",
        "{K1+i",
        "mv9WKIGRMlpfh08Of8Fd",
        "gc40pHhvPP",
        "v6BYwsuwXZnOvnMfrpl",
        "ToolStripMenuItem",
        "TMaqEVeXqf5dpaPUdJG",
        "ytlr1FNkom6ptbvrEuo",
        "yxjaxoGZwOpcgOF0t4m7",
        "UT48EIXKyLox8qFwPa5",
        "CWdxOxBRUqC6lCUEk2W",
        "get_ModuleHandle",
        "iWhTz4mfTe",
        "SmoothingMode",
        "set_Cursor",
        "5i=2}C",
        "Xb8rXATk8O",
        "yvOB1QhUNZ",
        "l4qAJbZ4dk09ZTaiucE",
        "|r#J}",
        "RlcCt01rTFKGD1MOrC",
        "U0jQrxeEQ4gqDb4G3ce",
        "iclient_0",
        "sRkjh8IAmvKohgi0Kjs",
        "vRAeb8HRyDQTmRlMt8A",
        "BandwidthWidget",
        "GetProperty",
        ">tM$a",
        "BytesTransferred",
        "uBGN6i",
        "CompressionMode",
        "mo3CWAHdIr",
        "lpiBysFfgSfJEH4dbj5",
        "q3NXYkK5HpWPxI8fsQ4",
        "Id5wQZx6piYh1Qb9KBq",
        "WyAeJx9Xe0agVVp8f4a",
        "|qU|G",
        ">#]`7",
        "ftxH4VGDWVcY9FNpP0w",
        "#[|AEy",
        "2</e_1",
        "o9wC4r4QsD",
        "uE7QrYJ883NvxnG82Kv",
        "dAlKIPGIhd2YBWufpVbe",
        "yvgfWoPl5GMppmSQuXC",
        "jGOYhi6wOU",
        "CK5GQqm2YhHYPi2mw46",
        "mIvfBUGLnuv0BrNBgnnO",
        "F43GRmGNRvty3PJx6Uga",
        "i}'DW",
        "BasicServerSettings",
        "gybucsUpDxxjvm6Au2Q",
        "KYLfkWk9Yp",
        "TVBN-",
        "Message",
        "ggI1XxbtDa",
        "iHKbPWbw2h",
        "rGvmxkGmF52CEL2nc36U",
        "KijrVRhXkD",
        "GetParameters",
        "ueArn8Nb4d",
        "target",
        "Ex7q5niKt6",
        "X$!@vo",
        "DrawImage",
        "XJABlN4L2m",
        "qJIZeeNy8RIv9RQAvl9",
        "get_Data",
        "-lwGQ",
        "=bjCur",
        "RNRDAKGOvm",
        "XMNO9Y6sNj",
        "WZf80HIrL3hnLxgBUuV",
        "oJY|]f ",
        "Cor7sOGm3nUtmG3mVQpi",
        "+2>zM",
        "sLn4IlGJr5pwNhSKTlU",
        "sODR5xyRwd4kXh5c0Pb",
        "af0dRO9TNd",
        "?'1OP",
        "PVenKdGdvx",
        "JPnVLuGnHNpXyCg1EIfg",
        "ldQSrEuQEvNHDXoRIJk",
        "B0rvphqhxmoxgmwRAWU",
        "ds'z%",
        "Priority",
        "kQ9WCBSnfPPhhK0A9qV",
        "RJu9{",
        "PluginsManagerPage",
        "uuovxaB201mMmwyRonM",
        "iQOrv2nkbG7Ud2qaC34",
        "Align",
        "BuFNvmOeXgMTAZa4mtj",
        "V7zN5",
        "oPV5dcYMS4",
        "}ayfR",
        "hy5dF7VaI3",
        "RadioButton1",
        "LtllLuOYkkMJUgJZVgk",
        "f2H6D?",
        "rCE.k",
        "fcyV2E1O0vNKkGg1Oiv",
        "PointToScreen",
        "vbh9SsGf4m4Gbi7pSFAe",
        "c63YUCG4VYpyJCZASqG1",
        "calAphGkrnHd4NAI8mdQ",
        "S52ZFjestQ2rabDMHLe",
        "p6h+3",
        "method_50",
        "BMftHZGVbpNo8AGkynEK",
        "IVhJgKGK2t",
        "UJUtv1tncYvFh6yRy0N",
        "v86E7wQtJk4JV8wUoM7",
        "method_10",
        "wV9OsB4inm",
        "=zu3t",
        "cT2CHAj73t",
        "P7eOtno2IZ",
        "U7kNJQbr8y",
        "jEH2UZQOZKyhFkFFLNS",
        "lJgNMicvSpFLABR0vaa",
        "YAusbqGylqrNgBIjPIEa",
        "cGuiXPGLX2MbwE7SVrAN",
        "MAup4lBuy7eJE8Qi7IB",
        "/gcoM",
        "ActivateForm",
        "AUIjpDy0Tk",
        "Na^9V/Z",
        ">+nH5s",
        "ADDJI8rTJgYrXCDKM3f",
        ">`)Lv",
        "FYkHjxcUAKvFgtBV3a4",
        "_Lambda$__37",
        "AZ+':",
        "qDLYYS39at",
        "OnColumnClick",
        "usaQdphUAn",
        "gvsxfDEgUI",
        "LFIy3vUBcA",
        "jtBy14Goxl",
        "FQrbECzbffrZRxIaJm1",
        "|}8; ",
        "GClass18",
        "GClass22",
        "AObDX9pPf7",
        "#^nc*",
        "DN0QxBPi1wDClQNado5",
        ":Hh^%/",
        "['!'6",
        "pT5HcbGxkEGg2LH9ZWto",
        "W]#YR",
        "MBXf36",
        "vfG98CyZuTxn7l5xNol",
        "AxOUcN5jSHsHFFKrC3k",
        "get_Icon",
        "9lXkY",
        "3`pF_",
        "add_ColumnReordered",
        "D1JyOBg5yMNir51Um4A",
        "HDKHVbeRkIP9gdahAF6",
        "Label30",
        "P0sUt0BaO0UOvvYe6X5",
        "oNo1kNGYaUsvu7Pcws4I",
        "set_CompositingMode",
        "dqluwxfFY7BniNE8Ma",
        "n5aV5doa7eufVf79y8W",
        "MfjFxdGneVCZxih85JjA",
        "OTR6neX1a0",
        "DrawEllipse",
        " ~sBft",
        "_HbtX,",
        "aBmlN",
        "sLalypTVxSP6Kg0jn9U",
        "eN5P5nGg3m2PAteqDyit",
        "Vwl8VnGIelW0ZTOHTqT2",
        "1B~n$",
        "get_Version",
        "FTKdIPlBq0",
        "ltDSRvQEHH",
        "DLBm2JwDZgWrCF9y06",
        "get_WorkingArea",
        "xnm3TDGRYJpU1rdte0ja",
        "vRdo~wXv~",
        "fCTOamod9ddscBwgag",
        "kmRxGDy1st",
        "xkYRm0e0Wa",
        "XDWJgGjQvOtwtHDtS1x",
        "McVExfkYFF8jtjFdkBP",
        "prnivVVuY6X4js3fpUH",
        "fGlUVmqwQdsxmj9jwRL",
        "vtsPNKfHlD",
        "2Z0k{(u",
        "UYtjkWTgqP",
        "get_ThemeSettings",
        "hRCJc2OiCr",
        "k9eXeQGbi4I5cgPLtCWe",
        "Y1AOkfGl39OXiGp6JqhJ",
        "IClientData",
        "000004b0",
        "oZNZ6qGNqy2pykolma6y",
        "WeHZBbV5P8xckk15y1F",
        "jaWtJCp5ERnJ4glHy8w",
        "kAG2l6Y7owNF5qYOWD5",
        "uI3f44GfM6Gm0DgaEKMr",
        "rgZq7Uuxr3",
        "jexSD8G3RiXMJxj1ltiW",
        "P9ZtRf95N0PRuhtAFG",
        "KiZ5cvGVoQs4ESOhAsQh",
        "Ml7K5",
        "RDRtG8GnYZjnpOZK9qLt",
        "GClass35",
        "cXNsjoz0B8wPAXfIdnw",
        "M$D-X@O",
        "{,15ld",
        "eMFaIORapDoraaEv33H",
        "add_VisibleChanged",
        "GDelegate8",
        "get_Column",
        "DcEh8T0qnf",
        "zwBBVsGCC6naXRdaSwfG",
        "gdelegate12_1",
        "PT8hZsGlhcCmAmCyBGvn",
        "gdelegate15_1",
        "ntjoRPGAiAhJbID0bVKj",
        "RC7.#",
        "HWodmPTiEks0iNSMS7L",
        "vxBn2nUcSQZj0tITb3e",
        "uO3vjXL9ln",
        ">I5xi",
        "'d/zE",
        "{=plcU",
        "ToolStripSeparator",
        "K?p]t",
        "DaUD4esmeSPKc40SlH",
        "avkP2nIdJM",
        "InvalidOperationException",
        "HbaKXwN7w96uxQ08V7i",
        "Gxc6rnGNBXPXq9P2SCfg",
        "eKT6ci8UYE",
        "n6Ol.",
        "YSpf6GGYG20Y8oNMD38H",
        "get_Highlight",
        "miy3bPmtRK7fgU5Q7k0",
        "scO&I~",
        "gparam_0",
        "Va4klFj0SY0vNWwgnFr",
        "|O+Zh(",
        "qJm9EXGxxNQ4volsfVTs",
        "sFi:#",
        "sSW8PvnM5uXytf0GW6e",
        "nQsS@",
        "kdXcxB68CKaGPMJpQKY",
        "BH9kdwTojf2Kwq2btik",
        "get_ToolStripDropDownBackground",
        "qVZR5HVF5M",
        "kHNBkO8gdv",
        "PLmDVYbWCTgR0qTjwVT",
        "XrTQYd29wHoW0lL3m1k",
        "T9yBLkDeAxaubukRxo",
        "}1h.8W",
        "Inflate",
        "set_InitialDelay",
        "hrrbUpzCSUq0Tn7sRRd",
        "get_Button",
        "rSl6O7Y3iUGYLDhZpRo",
        "rTw0Q-",
        "gdelegate26_1",
        "seZQNRGGD2r0gqUCc7Bv",
        "J4nCTXGXGqn9g3QwqUxA",
        "xfwa8NAr6iZ94KRC1yY",
        "4HZ)z8",
        "bkC!5",
        "Parse",
        "gTD1oIguAM",
        "NV(7Mj",
        "SxRonQarXy",
        "pIFCzJm0Jc",
        "OjejI9qRfS74yWqkqg",
        "&Nk[8",
        "PuDOPc1I2E",
        "HW6TU4GNmwrqsAQYy0NS",
        "o9iHo3Gy7eo4hM46U9dL",
        "\"qpXH",
        "mII5W6cFAC",
        "M7Ivp1L75h",
        "Mj?xVO",
        "IWebProxy",
        "J1I3OKXRZ8VYvCeDkTT",
        "dEShstGlEb4eBUAGLM05",
        ",n[<cC",
        "lyOZZH5i4Z6HEAIfhKv",
        "lNy4j13vxoldpwjBEH",
        "7TUxE",
        "QLGCA1G2Xs",
        "@*LdQB^",
        "jq5uwkIYJ0xMQUcOwyN",
        "add_SelectedIndexChanged",
        "CFyTsrp0MeTU7U8Kx8X",
        "_Lambda$__55",
        "htXWhOKJsMjdUsu1SJ2",
        "SDx6WYvnT4",
        "PsOC0UBcGbpZPjUb921",
        "leXwV0voL5ZQGvef2m4",
        "GE+:=",
        "ccM:Ai",
        "IHOBIyIwJk",
        "TabControlEventArgs",
        "lYmSCevtgp",
        "n'*E;",
        "lrQ2lRXVg3ICnagiEsO",
        "iPD|w",
        "sYFStvUBJRulbdS6Oii",
        "set_Selected",
        "^x-o?",
        "TabControlCancelEventArgs",
        "gGlaQfUMhAHKmsWdnid",
        "DiYb5EGf9N0R2uMlK5Dg",
        "MfyB0GFXgvgCQLggKs0",
        "8zCz#",
        "B93stNWYQ52WxgpyNVP",
        "ei\"5E",
        "Ul5Tq1xJ2Sxr3WZ5fZl",
        "uhGEe9GGuXOrv05orl7v",
        ">~+6Y",
        "wWNH65FiH727anVyNSV",
        "ColumnClickEventArgs",
        "_:#%a",
        "hy86pSP0OgNj7HdYmun",
        "lUyjQdGyeqmbrFqkCOAt",
        "CompareString",
        "c3FU0uGYMo4PSTWdi8XD",
        "KtOmCSGIBHIel3pX1c6R",
        "Lxv1W9sOppgDopk26aV",
        "Igc8DIGhVwco5aZjq3i1",
        "O%~BE",
        "c0ahPBGhpJo25KgXXq6U",
        "Q'v\"zT",
        "d86Aa7xWJxVt0wey2JD",
        "alvJLhClY6",
        "ofg9P4YRkFaCW6bYsiu",
        "B,1Zpo",
        "AaekE",
        "SipIvHhdpXGG7yRcx3K",
        "xmZle5Swb3lu95YWLvd",
        "LzcJA]",
        "xCCrJcGyoYL3OsChvWF6",
        "3Rpu\\d",
        "'DvWp",
        "KjEx7Grmcb",
        "*.e4KsS",
        "v&/q[",
        "!#6qHZ",
        "r0r qVBPf",
        "Ga1IP",
        "logColor",
        "^/znH",
        "D43tD8KVP7CJiGFmvlU",
        "ISupportInitialize",
        "xQ#OTd",
        "jKJ)o>4",
        "\"_Jg&",
        "dOQoDR9rQW",
        "pTQFINSiHTsFok3TdL0",
        "J`hRF",
        "INuekNSu99qtIT6TBfH",
        "SetChildIndex",
        "jXZ6f",
        "rvjZXxoXaf2wRC9g9HB",
        "b}.V$",
        "pTvqngGwh0D6BpSlbZxM",
        "QT3o3mitqf",
        "QMjCcQeKeh",
        "<A5GtY&Po",
        "nmGTXiag6k",
        "PeLN9xUsAL",
        ">D,Ncm",
        "oVFv0SwMak",
        "xc0EFoGKmOetptDniAW5",
        "~P^X}ux",
        "Somqvi2hpt65PlOYnnk",
        "m4Z8IhYQsJ9iul6TdrK",
        "lqAOaggGMG",
        "JfF45LrMrseFevgOVav",
        "S2AF7U8nfxmK4OWIUWA",
        "DtTSdbG4lrUxtIaWO9PC",
        "MV2lKgGbFdJX4r8iOhf",
        "<RxQk<",
        "mLC9vXlif5Bl9OH8A01",
        "u!ZAQCo",
        "LKJ@'s\"",
        "R8HVCmGnNl7Z9NO6Oro",
        "lc0UabDGMSDRmBWMDZr",
        "gdelegate13_1",
        "rBrq3bCLAb",
        "HL4ev2DgVCFxdamJUqO",
        "GAltWe6f7cWZFkosbV6",
        "S5mBWZG38XBl668IMe0c",
        "Enqueue",
        "mqhFHOWPeqVivilZnS2",
        "h<9L3",
        "GClass7",
        "FkUSQ0nX9n",
        "phI8@",
        "YHJUDADhOHaQjgIG6bm",
        "kfFJC2G4prKIFNP1XjPU",
        "remove_DragOver",
        "vwc0nVGIsR03CZVZtDtk",
        "CryptoStreamMode",
        "~g8Sc",
        "get_Count",
        "UZ25t30TE9u6OqWRE8N",
        "eMiaf6TuKtSY3F8ydt5",
        "pfl2xyzElGlQMKPUg2S",
        "}*tmu",
        "hDKnxPGxEdtlnNcZPegB",
        "\\H`8t",
        "a4q1YsA8T0SRibiqGaG",
        "pqE6IPG4gj1wVNASsUMk",
        "TouDfMRart",
        "YohjtEGLJF09LWqvitpk",
        "gdelegate6_1",
        "HjCmJMBB1WxIvETmMJ6",
        "zYh7A}",
        "1G9i|",
        "yWJdYsQC1BNPpvJ1eUh",
        "SE7Cn9Swptk3NFJrObc",
        "DragEventHandler",
        "Bj18vJGbSl6Zl7WfNRwG",
        "eVPh2WrUVr",
        "eP6bBIgRUk",
        "KjuQp2GPv9uLFsmMX5XH",
        "IMI@J;",
        "6o5SfO:$",
        "&9M=ee",
        "'BlDu",
        "Jffl5QGl9OltoKNjgB3e",
        "UZ8SbNtouc",
        "QkYywbge4Rerre5ceYl",
        "eLggDYGKG70FYJFT9f1b",
        "d19NUdNiiw",
        "NQdRkQGEyTiXiDvIE4ke",
        "FjttQSG8wgOhOpNelUap",
        "]P r\\",
        "Gc1cX-",
        "TB4LKIGYNQP0HNfRkFLv",
        "BmCO0IRw9t",
        "EoK5BWf2ZHbYNC1lbKb",
        "Kti4YA8",
        "Interlocked",
        "pdYmJlNF6V80I2rMt9U",
        "    <dependentAssembly>",
        "FuJ{h",
        "CheckBox4",
        "q2nb0hhwvfPipUg8jlB",
        "LHSBf3F5ST",
        ";K:$Lr",
        "0qaIc",
        "aVCVuCTw9GstdyihJHW",
        "LyaZjuVjpJfvxCuiIxj",
        "vqyUnaY9JNC57nvT7BA",
        "KSM1uo42s3aeGnUSYor",
        "fqx1!",
        "IP.kU",
        "BQYvLwz1BldZdO6O8rO",
        "bC]L>",
        "2kM\\Hv",
        "nRCwRTGjIN",
        "xcU/dS",
        "HphfTXG3PvRTkEcjCP9x",
        "8vCL5",
        "set_Key",
        "OP9NZhYyFjYG1VWtv3d",
        "nIklIlTyYTIdvSUjabb",
        "OnSizeChanged",
        "f7NYzMooCP",
        "Hna9n9AOvC3fUDrO6dZ",
        "wnCe12Db6t",
        "OTItmdGhkwdCETdibBoU",
        "GhcvqhZOl",
        "loNxH9RpYo",
        "ZAd~k",
        "get_Window",
        "Jxq`th",
        "rNBDiTKZbM",
        "ntyA,Z",
        "*NuW>",
        "NWoZI",
        "nma4HBDIZhERdoWc24s",
        "N1bapZGhUdWVbjEZr5qB",
        "Lpsjr 9",
        "vVnFXWGZ7hMgImN6ni03",
        ":extKR",
        "uRK(T ",
        "PfTRxiKasm",
        "WTP87",
        "GKbiH",
        "S4YlAjq683",
        "set_UseVisualStyleBackColor",
        "$$method0x600005f-1",
        "Lci25c9FFxY5r0OHEZY",
        "xv{P0",
        "mr1wUtQ2Gt",
        "Ru7']",
        "Mm10O5OIKakhKvunlOu",
        "DVbfIy0LMdbo8JqobUr",
        "F}>Qk",
        "SUn;VK",
        "C8PgTjwSJgaFsg2JNLO",
        "pPcuNeGeBd42WLyiSeQJ",
        "m0QTuW5rJx",
        "[!f*<",
        "AEY5JpGmsTQMTFdbDlel",
        "nw16No6Uv7",
        "]e:HU",
        "        />",
        "XdhxKGODHo",
        "$8rZJ",
        "fTbxnmNkqW",
        "ClientPlugin",
        "2n@#(",
        "Dx284ExnHDatmlyyRVp",
        "rJaq9i3AgMdggYMwHJw",
        "jOk2ZMtOooyvqN71hMB",
        "DU4$*3M",
        "lEuMCCoIPcfoiGTMjkn",
        "r77PCFGl58jJaohAnX0g",
        "a9TSznV0Sq",
        "NumericUpDown2",
        "!A)Vx(",
        "pLHOGodgiUpi61eKrLQ",
        "P6ACixduYl67qF4NaKt",
        "E12Z6Iu1UsbGWc24NKF",
        "NumericUpDown11",
        "mJyloTGXcDrSHN7XkOLr",
        "x2DJYPIC5N",
        "uMwTc5B4Rw4TvwNUfY3",
        "[Sz/\\u",
        "RyWfmEedE2oxWpfmIyJ",
        "K7KhUGvu18",
        "sGjNVQGGHr4MgcxncLoe",
        "ViLyQ3OuEk60hPkIbLR",
        "rP5YQoD711JDDSmdMcC",
        "Le0QQ6vrwNVv7nRUWTh",
        ".TgXKQ",
        "NKNTlwGxXsvChXtxE2bi",
        "y){jbA",
        "byte_5",
        "TqAPFPresAHJ5Gb6ehE",
        "IItDjaoo5O",
        "GDelegate4",
        "B/*w~",
        "t7Yr\";",
        "NDVeDooPlh",
        "yrgoFqVyrp",
        "MLIbyLKYsu",
        "wjUqPtGfn0xic1tUa4hR",
        "PXpL1QBl8qRmeda30lT",
        "IT5XLyGxhuNIj1MxrWxF",
        "GetName",
        "set_Positions",
        "Jzr<o",
        "zDObU9r2HNX7XxSkvK3",
        "D2CRaFWQuX",
        "zWPyHwoLyV0DqRK46Ea",
        "TDVmAJoYKBODyMaCEnJ",
        "AG{-w",
        "h ^zc^W9",
        "r77MZuQXdxbgacpslhH",
        "HXPwJFsRqZ",
        "N2JmwxTlRtmFseKkhUt",
        "\"c6~r",
        "cPZ\\ve",
        "Wons3QnAoW7CI870rBR",
        "GPPmV3BMJ5EHQkMDjkK",
        "Te/s}",
        "iIpqkcy5Ep",
        "pESj4I2FYY",
        "          language=\"*\"",
        "ModuleHandle",
        "EventHandler",
        "StringBuilder",
        "get_FullName",
        "TRVUyTTd7LE9Oly9YlW",
        "Si!wu",
        "QgP5jW6Hti",
        "Ij2ZgxGP5svhR2uZobY1",
        "get_EntryPoint",
        "DTRR7iG3oci9WfAV2dk5",
        "mMGkYmGlwCFRMo6mbQlp",
        "_Lambda$__41",
        "knr1vF8W7aTIyTjbBXd",
        "TQrt6nqdHthbu1Yw1TK",
        "pTFlxMoVdVHwAc5ne6t",
        "Q;^w`",
        "AE'F ",
        "Dxv!i<",
        "lXONK7s0UH",
        "oLJRwNGPjd4YNO7cq45W",
        "PsB41fSe6",
        "Label27",
        "OAsWtIGnhwmuhj5Nkla0",
        "method_15",
        "VHjNrWm4oTGOlUi9m82",
        "klvHtLIqUMLEebKLVhw",
        "wMDbk0E2hd",
        "string_1",
        "aNkYhrmgVZVBFs5OdtH",
        "q1JwIIRKifShrPMdJXn",
        "TjJuHp5EogMTeDNRRim",
        "RaYX72cGWIwQDTshXPr",
        "I9HfnNFzs45D1AXsQci",
        "OnRenderItemText",
        "7B$IG",
        "<1_v&;",
        "Boyu1rGMhAgxMnTbtEI",
        "MR7nk9Gexj9keXYEbRiM",
        "System.Drawing.Text",
        "GClass14",
        "[<O^a",
        "PaV3gXLmaZYWGNtENCs",
        "NMUL2jkjR2Hqp4mnrjZ",
        "'9(R9E=",
        "aEse7OG40UOr3UIYEM6Z",
        "|#CCE",
        "A6A2XyRCeTGgwHFP6I8",
        "__StaticArrayInitTypeSize=30",
        "3o@-!",
        "^?\"E~",
        "set_SelectionColor",
        "byte_3",
        "U78XUPhfjeiqXvyamEj",
        "W6nPloGxHZKpuOLR3Zma",
        "Component",
        "n9<06",
        "TUlvJ2",
        "XWu7BhxrN9HPrVVyQgw",
        "STBiTKebxu",
        "HYP]%9A",
        "WP/KS",
        "Compile",
        "^O_ |3",
        "fQe1b",
        "DqQbJoG8p3dMXfnE8tb2",
        "set_Margin",
        "PsxBoSpVdNTMmDMApZS",
        "VMm<9",
        "h11Z*>{b",
        "nVNoh0GGqcmqDLJKh0R0",
        "TJ5fBoVEvy",
        "ITxRGCK9Wt",
        "~3M7?g",
        "g3x^~",
        "set_SelectionStart",
        "toolStripItemTextRenderEventArgs_0",
        "&_}<Z",
        "vBsglnrgLDJFm3M6tQK",
        "get_Variables",
        "q2lGx",
        "Lwpo5b0y8d",
        "KwoZiVGrYR9g8MBZ0DSk",
        "RMfnGDuH2dAi0Cu4hD",
        "qWfTo8TJ1r",
        "D45tsuGyrsRny9XVJ5YY",
        "FCndYfJYtJBJFFh5QKh",
        "JHL2UqeDdifMW0qsAJx",
        "dExC98Ig1R",
        "DecompressionMethods",
        "gaiEg0TWXAULeY9Di7Y",
        "_Lambda$__58",
        "nRrteIGyO8i7vM9kxd2l",
        "hvLJe5txHi",
        "aBsgZpGxWeN3fgU1GAPc",
        "KZv6OcCJdj",
        "UdpClient",
        "D;6:a",
        "y5*/h",
        "e#KeD",
        "I~&QA",
        "LvHeCA6YqZv2MR3Enxw",
        "fabhTHfaec",
        "uUgfcbGVVRA5ltM5mYtl",
        "TR3O_",
        "BJD:N",
        "G4dFidGgBm2hSNFbyUHo",
        "ry_xR",
        "client_0",
        "TSsJ9ET6Bcpeq8SYl1C",
        "wlF0SMXCgBqXeuxQoNd",
        "PgYplYGEgZPOCJFETQGR",
        "fileTransferPriority_0",
        "EQ^.t#.",
        "HIlsHkzByr3AtA5FKW6",
        "w4{+?",
        "g3MUv2G8EOOyqBBoudR9",
        "VSPhefGNjui0Bugk7fe8",
        "aC5mr5GLHLuRT2iu5WRN",
        "uen6baSrKo",
        "method_56",
        "int_16",
        "R~xgelC_w",
        "#\\h$j",
        "Hb2dKIgxFyE28JJ27Py",
        "IMVYflLEp36dWSsCj6V",
        "dH1Dm2YLr13sQeK61fq",
        "OUrrmbvq67f8SkXCpK",
        "c1jwdQNM8V12NZgk8ei",
        "1.2.2.0",
        "GControl0",
        "%4PO9U",
        "-Z|XI>!",
        "NqADyHKj5V",
        "'574Uc.",
        "('YAE,",
        "UGjyt2G3SaeH7b8i2NbN",
        "._H:{",
        "nUz7j",
        "aNLsBmorK",
        "AggnOaGmGE3pxmOu4CTa",
        "HUIM8msFY5a5APy7ybv",
        "ButtonSelectedBorder",
        "k7wp9rPc03PugqQHjpt",
        "ChangeExtension",
        "pXPpJvfx8F7e98x8xB7",
        "vl9lvSKTkSJboaeEBX9",
        "MrDukj5qPl8gjuSRQSN",
        "WqiweCrne4podyLydPD",
        "O@uh<",
        "o931f8i8GXjbDrmbQlK",
        "KEhOs'!",
        "YuelDqH6J0",
        "U7KRME9Vy4hBVDY3Bhd",
        "message_0",
        "y(yK=",
        "RG[+/H",
        "<scx)",
        "zT;A}c'W2E",
        "2'rAj",
        "add_Tick",
        "q<ke&",
        "8.U+W",
        "uoL0wiXAinfFY2894UX",
        "TqZ6QMgjuZ",
        "hhVdDTBBdL",
        "TjaaL1G4LiHySPQjvyqd",
        "BuilderSettingsPage",
        "wQ[hBu",
        "gTx1s70t8eykWTjjLl3",
        "SetProjectError",
        "IkS4bdr9drgxFgVPoZM",
        "+@(}e",
        "FQ9OgyWOgkooYuskC7t",
        "\\[0]x",
        "get_AddressFamily",
        "set_LingerState",
        "N6SgmQGfpWduVXaH3vLB",
        "7P!<-",
        "RYL51kG3FpmIQyooq7GN",
        "BXGaEiHj65roU8rvJZW",
        "add_Shutdown",
        "_Lambda$__17",
        "AddTabEntry",
        "FafM!",
        "247#D",
        "ANqp8IaibeYeBxNh6Nh",
        "Y9IZsKGbR2FMaWkwa5n",
        "ylkMF",
        "get_Groups",
        "!W|*K=",
        "c6GS7d587ZYgK7py0gv",
        "^cXHJ",
        "vNXxuC90Z2hmPbeXsQh",
        "ywFS6ZaXwlZltvoCvLT",
        "gZwyqJEx0DuN7mk8PD0",
        ")fb|'",
        "A],!K",
        "03>s6W",
        "wxiNWcwqnV",
        "sr26heGZJ9Pn2ixFNdxk",
        "$5qC#",
        "KhwL29UDbv6PGuohx1",
        "GClass13",
        "get_Graphics",
        "set_CurrentCulture",
        "MtG/\\",
        "agsfMwW3ZZsR6Nu15BC",
        "gnsw3HGCt1nM6ALE4QSA",
        "cupDVZGlkw8thNiaEtyD",
        "StGbHYc3RN",
        "tVPP3VfiiK1Rgs0aUD3",
        "QXri6tGlmIAfLaPy18D",
        "BM0%Gi%",
        "JQJ8DNzDpXLOnEdsN6c",
        "fFTRSHGA4eCJOBEiJMgO",
        "tmJu9hhqqmYPwhtSwW0",
        "L0ucmLi9uw3dNTQJ7sH",
        "BDrG6IQVIb4sqGgV4Wp",
        "UroP35YKxPfAp4tijBr",
        "set_AutoScaleDimensions",
        "Dequeue",
        "K8u^?",
        "tKh;)?v",
        "set_ReshowDelay",
        "get_Client",
        "sr6MZAefJN2FZFAE3v6",
        "YOBqDI2FayWMXQfhw6h",
        "eHLQ2U78rJjqCS034FK",
        "WHAjMCGPeZggkhKnbS3W",
        "VX8F7cqrmbXovKnBDnT",
        "wf3JA0AU5yav3V58KLI",
        "AjWkkcL0NKdFmO0x0I7",
        "ToJow",
        "lRVCj5N2yo",
        "ORyU89GAIejTeQP3uPfQ",
        "eCKhZ",
        "R7VbeZ1UIv",
        "1c\"U@^",
        "X5+!T",
        "TmaQnSd6EkXh27OOmjs",
        "/O/j/",
        "t5L3xEy0jBkQXb9cjZK",
        "5P('vXe",
        "KjYlmg*8",
        "gt2TTxFL5ngm8vSfUpZ",
        "yS56wBGrNth6E49eKbAN",
        "Wjdjv",
        "m\\Oq0",
        "eQE31NzkjGkfsPJRQxW",
        "',oXSCoM",
        "_Lambda$__54",
        "zvhbh4FWOxHI785cHHA",
        "VlkOtUGNK9Iuha7mGHV3",
        "^lItP",
        "T58h9PISbV",
        "misC8EQAd2",
        "es9BJ",
        "xwfqOqTVvJ",
        "OWAGKR7Zik6WCrI0Ejw",
        "(N# y",
        "Ab~[HD",
        "c4&`r",
        "mK26JlVB3e",
        "4~{t1",
        "SJlro",
        "px8lgRGw0nZOvWBhhfOE",
        "TopLeft",
        "Cursors",
        "[D<Qf",
        "WR2SUuG3cGp0LX8WWKx",
        "u63Im8Gmo7b9NUpsaLAw",
        "\"g\"8e'",
        "dmMY2LXWL0aUlgCJ5YO",
        "c7aJ8lkvuocGuQLA3mL",
        "(s<,a",
        "ptAJOs3zT73QkD8YNpH",
        "Nkdprya5XPLtdjpfiFR",
        "sjdb2dvtIvrQg6Zx5be",
        "set_Callback",
        "yh3dcS0Qq9aThavPUOW",
        "#Fed!)D",
        "acpAons9HMOUxck83uM",
        "OriginalFilename",
        "SO6XgUBF230N32i03m5",
        "AZ6TGtFuQe",
        "hhuOiT6lV0HyCN0cyKq",
        "_Lambda$__69",
        "ListViewGroup",
        "hwNBWCYyLw",
        "nnvbMJCvFt",
        "{?]w3",
        "C?0y\"y",
        "UOSM1LGZ115cMWv0FdsU",
        "BCsda6OjhT",
        "'8!ed",
        "vY,Y[",
        "k6pQj70tKF",
        "eI4VJDM5P6StohyTHtD",
        "~BFo)",
        "0sP}%M",
        "NRexBnksd10woYkpp02",
        "uZXmiK0hFsNw7Y8eA7G",
        "ojqJFQRzsnG53Y5tT2P",
        "get_StackTrace",
        "+Q Zt",
        "*_y=]",
        "5@'m3U=",
        "GControl6",
        "I8MHDQaWUrygjTUcjuB",
        "WMNg79d3iw1EVTnOTmb",
        "x47UNRLPCFvpt0PujjH",
        "uD5ArBGCw567SG58c8mG",
        "DsGIaCvc7L5dt0KhVsq",
        "6DQ^T",
        "oUOtqSGXVESWjkvwQ5ng",
        "9P]'$",
        "JPOT4ZHJ2T",
        "XwZxr",
        "N5$GU+.",
        "H5KS6i9EUf",
        "EFbysUTiJb",
        "fb6lQlebhSGc22AWAA",
        "rPBR4st2M73fAyimNtc",
        "OnVv6IG3pV0FHi2yLgS3",
        "uKG$_^",
        "WkOqej4EI663m6Itr2U",
        "xghYqiEAu6pVPTbsIVv",
        "GH6ByUwo7pMflv6gFq6",
        "lemJu",
        "oO5JeMAfrTdFZHCEPsf",
        "IClient",
        "MhIKguGEVhO8pQWDkH1T",
        "JiBCkgGR8ZD4m1ERwoRr",
        "QNvL%",
        "xQG5OUj67XTwZcJ4Rxr",
        "tS7yEv2IYO",
        "Q(w:Lk",
        "msmSpQ4afA",
        "Hx2wTOGYeTYMkb6kxUZA",
        "HeObz",
        "nDDj69GxuacO94j9KkfO",
        "uLM2qHGxOEMdrxNUAgdw",
        "W6P4Iq",
        "ComboBox",
        "@7Gbp",
        "JPQIeWGx9FSaZXy58i0f",
        "FO9ZrkzM5yVX69SiCZL",
        "uEk6kt6E7j",
        "IXbng5Ev2q",
        "r`OR0J",
        "SlB1#7",
        "2EgFK",
        "eLVQbUGEbUKi5hAScKeG",
        "qJjqYe6yZF",
        "`D3mE",
        "jwWSqSe9M",
        "w6fYLnhEk5FakcBYedY",
        "Lu21yFGRJfN9twJa7cyQ",
        "a}dAU",
        "FpMCvGHRdY",
        "method_4",
        "Tw4uraSRdey2EMwXc72",
        "i3jCt7GPsnPKTgoVJbD3",
        "{.Nr:",
        "*7pH<j",
        "gdelegate25_1",
        "u7CNsGdeelVxoyWxCt",
        "Compare",
        "bUvqM",
        "iKf3bSJ2W6ydnLVd5O8",
        "VmKyCnrxUXO3wvdrQR8",
        "AZqYo5d747XiS3jqfOo",
        "ReadInt64",
        "eSy5HJokLKmJAHghIje",
        "OW2fxbisJX",
        "@1_t9J",
        "mpkGVnrHT9HpTUElOUs",
        "KkCEEVAaxQkp2xXWCEB",
        "D@)9M",
        "LL@*K7",
        "lO64X3GngRmtfR4nXrcr",
        "kmcnw00BHM",
        "E-[y{",
        "vVPHx9GVwj00ycFgKYug",
        "c~rl,",
        "rnyu6RwriSYi1EoWdpm",
        "Tcg3H5GgGEHOj8SMjHNp",
        "}>^3%",
        "IPO73fppabLyVYyU9BI",
        "MQMe1AGhCuomJ2jZtvCu",
        "mswAHNGY5thYVSDhtHvh",
        "BeginInvoke",
        "CJajqRNiEWoAjYgbynk",
        "t5qy96Grq1hDtWCFnWBO",
        "s(*)|",
        "maaRV5pactZlndqIcnx",
        "KYCdP1GNHkQGMF7VRNk5",
        "S9nZlLJ4vb6hktCantx",
        "L7qSSsjp9r",
        "callback",
        "MKSm4fwKFUiHT5XAful",
        "EinnfwrkrP",
        "JG7lysHk0lso8IKbtHV",
        "l8uDGZ5jqh2B85tixT",
        "NMOJL9GrbdEjgFdu7Dds",
        "Icb7OBbdeCFcc9mGnXA",
        "f01vxayThF",
        "set_TextAlign",
        "scmD6Jf0rS",
        "}}\\s.C",
        "WCI85YU976tjdfBEjjT",
        "OdQ10sqdnN",
        "r064c",
        "CRMBfGlf4rKE9CeiQIU",
        "csoNaGGh73LM6QqYUxVr",
        "MNqlj8N7d6",
        "k7&CHc",
        "Ih2VYJbXikPBGyDghyf",
        "EvsYZXGg1UGLQhPbHuhH",
        "Exists",
        "uaccwxFyYOVTPKaFwEU",
        "+[?8#",
        "NanoCore.ServerPluginHost.IServerNetworkHost.RemoveListener",
        "3Y~TIH+",
        "x3mE6QGGlmhceXNamGeg",
        "B?Ko~",
        "method_38",
        "ltb6mMkIIk",
        "JOLso1GYOrAY4S4Su7dL",
        "CEVioYxg8L",
        "Kt2RUPGfjQfZA8kQGcnT",
        "GetFileNameWithoutExtension",
        "LJRiA2Urrg",
        "ravuWY79QVPQABJmbNw",
        ") 08{",
        "2'ij&",
        "Bady<",
        "vJNVRQGwulYkZrLjOd8y",
        "hE1wCOGMqZPVgPLID1Bk",
        "FRHpFdGmHbFMYmApsp3J",
        "a387xkD8GMiNJHT32I",
        "R0WnLpXQmg2nEJJoc7N",
        "Au0I2UAWIiwV2mtO4SZ",
        "IUgh^-T",
        "CUJl4aGrWs1jJg07yFGH",
        "MRoxBd3wHu",
        "VaPwf",
        "aSFkpAGNMaqFJ7I6xAqY",
        "g>v,P",
        "DOXntSQmVpqvf00umrF",
        "DisconnectClient",
        "QhKOSvGI5No0KYDtM8uU",
        "uUcqslfUYB",
        "AuQncygVNG",
        "GKAxuNFXnJ61Obx1sO",
        "k6FD2wrOVY",
        "M3cJC",
        ")q]6a",
        "aTowW8GfHGqgbNgutpwr",
        "NVKJ4WGNzOqG4gaIsgJ4",
        "hyr72N2S8L7DJCwURwY",
        "ipaddress_0",
        "nrU6GvGKAsL1tWTUi6ol",
        "comboBox_1",
        "gclass35_1",
        ")xpA{",
        "KlERoIGvLiUhyiSD5er",
        "Np\\y\"",
        "EiOmOjGLPSgaHag2dpjX",
        ")qI'( ",
        "H9UVErq4BB6vNXxVot",
        "BasicBuilderSettings",
        "yZJRwkIUCXWrw",
        "remove_CheckedChanged",
        "ArrangedElementCollection",
        "j9TRy7ZtbC",
        "BnjIqLSOl2IIOrN1rKt",
        "nlnPKXdmJf",
        "cniqxsIk7jbgTLYl8Re",
        "QRXBvD3XtOIaGma7SUZ",
        "K-J-fQ",
        "OIRlEWCCKY",
        "ThreadExceptionEventHandler",
        "QGZwTyl4SbdDvp7bT5c",
        "gruQ7uk8IRkMOCB0SeI",
        "t1jwpATdw7",
        "KEWtutnFDxhaBZMAini",
        "j<nQB",
        "AcceptAsync",
        "'g_tx",
        "]&Ui{A",
        "]T<!?",
        "_Lambda$__7",
        "get_DefaultCursor",
        "XjLhGlGAO6bBD2uVqf5x",
        "-<XrF",
        "Sdvs2",
        "BB2yDepSaS",
        "toJ9tX7hIym2VXcOK7T",
        "TIqism83JssCTVAkFQ8",
        "FR&ke",
        "ySCAYSwIwv",
        "vYXZ5TNlLfdurH0njD3",
        "FU*h!",
        "QmkD5VJf4C1uvKj70K5",
        "KuavSeZXed",
        ":Inw45'",
        "UOq8wpVcf60xbxeCWyO",
        "[gmh,",
        "*7PA2M",
        "zL85ZgWjV5ODg8ExdIc",
        "rXE115Km7M",
        "*W,a,d,",
        "pictureBox_1",
        "XgPgNnGGXo883UJ8UnZN",
        "nFJAgnoyGw",
        "ContentAlignment",
        "<QQ#4",
        "XrgoRlgLT6cW00Tiqyn",
        "XvVbChSsQx",
        "a5F1A3kpqh",
        "vThHE",
        "sKUVvc2h09MG1VEac6",
        "a3*WE",
        "FFC8FLDOudJ5ehATqYb",
        "cYiJ0qPana4EAu6FGsu",
        "fXJcN2rRJiuplvrXXj2",
        "set_SelectedTab",
        "e9X>u",
        "__StaticArrayInitTypeSize=16",
        "#GUID",
        "qfZlTc58dp",
        "DA9SQPNJtMVufvfQO5w",
        "uPG7sF4g2bc0M7Seby5",
        "qKK7qwGwdVpZIReQkCZf",
        "pmbsnWPZwngcRkQGjXd",
        "p7nReOaRqf",
        "aFjFJ8Gflo7IP7wlJ57y",
        "Xa9qYWHs1aE1CmfVv8o",
        "lp$Nl",
        "AtakIqGPGD45Vl9b1wcH",
        "Pbgx4qJ4Ls",
        "NWGHaJktLanVDjGg1AV",
        "yS}N@",
        "IndexOf",
        "XdyAgZgKE7wXxOH25jK",
        "get_SelectedItems",
        "Qf9bekcFmgJxFxQTqln",
        "OBrTDJ0M4n",
        "Dc8LXDA7OEkBadrKPsU",
        ".e*Z)&",
        "s0Ceivp6uj",
        "dr2SiEGVelaRdsqUeCDd",
        "n0SW0OGGI4OlIsMvTRRA",
        "set_DashStyle",
        "Vo4taErsT2lGqIPkA9b",
        "LqCkxT6jrlQsucjnCOl",
        "Rfc2898DeriveBytes",
        "ComboBox2",
        "IADqfkPqRv",
        "B21D8Nroyf",
        " IZ$0",
        "9(62O",
        "TxopK",
        "c5gJDfGr3NTsTV0CRm4E",
        "CLX5brQMK3BgEK2G71c",
        "EfiiCbmELDuajk4sU4L",
        "7:W:&|",
        "qydFMd0yuZuZMXvSBY",
        "D3xsuk1dOOQKs63vFZB",
        "Button",
        "'U^[e",
        "Xbu7TksDsvnjs5YNBZm",
        "tfL21qOZHgkwYIEiNU6",
        "zKMbvnVYkE2Tm6fAtoZ",
        " !td`",
        "add_Shown",
        "[S\"%>-",
        "l4fxqCDWYqeOpMY3EgM",
        "Tj4d4jw1mG",
        "rvShPXIp5MkcNpaFMxU",
        "uIlA9Mj5MlrexuX9QJ8",
        "GClass25",
        "JXhtLPGhQVwEqRo3H77n",
        "X,k&^",
        "f8jo8gGEcrMvZd1dAshS",
        "_Lambda$__70",
        "LdV4p8GI1NX3xgAv3d3H",
        "*O[,]",
        "VE9X6Hy7FCWqlJyxmJn",
        "Microsoft.VisualBasic.CompilerServices",
        "weBO4Svwh1",
        "ifouMbThVlaT0etP96S",
        "s3Wdi1Hoi5",
        "b!|!X",
        "m9oAx3sZrytWeplVCpS",
        "amCmkCZVl0QUMC6uuYt",
        "acPLXhGZoRAX70lB8vMB",
        ")=,{i$",
        "MEw3vTAwOWAHHjEMxxn",
        "j3K7sUGEwutpbVvITvKp",
        "Container",
        "JK7cBaGxw6mgcaacRtJ7",
        "BjjmQ",
        "}'Lx9",
        "set_Text",
        "KRhrKNpLur",
        "lXVFEiGepRxFNvghg0wS",
        "RZd2$~",
        "xVBYFDjluW",
        "XPD4Hu6HYOOj4V7a5xS",
        "TransformBlock",
        "aYYlobPMjn",
        "vLAH4nR",
        "vNiw3bZtJM",
        "RceImDvz974ZxIjrdR6",
        "TabStateChangedDelegate",
        "MTgfu3YJwLvEiMfdYRN",
        "E9A`#",
        "GFyo&O]",
        "kh/59",
        "zmDviPs2Zg",
        "ID7rEoBfA5XtZ2QLlFh",
        "ci5JIkig27",
        "_Lambda$__15",
        "EyexSdU32YQtiWRqDGu",
        "System.ComponentModel",
        "e ?Yr",
        "kqLYM7oEiWbibWSGl5r",
        "gqRBvXZWaMcWCuYLu8v",
        "y0ZiZNX4rU",
        "$657166ec-df19-4a6c-af18-dcf7f06759c7",
        "IsLittleEndian",
        "J@D@p",
        "3bOe9",
        "IEZm8F5nnZdlP97DXNF",
        "(VH?]",
        "GClass34",
        "UnOn8gEZNklptqYpXxc",
        "p12nkWwdBwjA8rc0fAT",
        "'_Az5x",
        "aFsoI1B0h0",
        "KuE^gT",
        "NkcUG7GGBu18Y45UyW51",
        "_Lambda$__38",
        "=\\gK14",
        "n2S>.I",
        "cOGiHoy8Hlm8SXpIy0J",
        "ykyVwJUe44BQpcgd4u5",
        "gPBiUA48vKVQrZIYME",
        "ACQ6EMpQ1MEKWEjvsty",
        "byte_2",
        "s~~t3H\";[lt",
        "A!BUBiBbC|C",
        "Cz7lbg",
        "MMQt6QJxCcrYVqL10G6",
        "vChu\\",
        "SdIsf26JRkT3k2IurOp",
        "ntP|,HZ",
        "vlUtLnTNxHe7HIJ167Z",
        ")V+X[",
        "KFs1a",
        "HIX7tRAsNy8J8cu4SB3",
        "vJIcuhcL9tQ7NiICpjZ",
        "e32fVwGfFaHQKaKRaXcn",
        "swQcxgbUlK409dsxq4H",
        "PixelOffsetMode",
        "UKmyUYZVMa",
        "kh`jo",
        "pja7FaodkGhlUeRHuOk",
        "gcontrol4_1",
        "6~e.*",
        "poX7AlUE60d7P6O35bi",
        "get_Hand",
        "+$pxP",
        "pILqolMVkaa3Z3h5XQj",
        "GDelegate16",
        "jcB1J0ahEH",
        "ea1eAoGIveHffjUSiQZH",
        "SfsOLoEy6D",
        "HvJ8wZGwkS30et6jHMmt",
        "TWHXSVbRsEmXoJ3YuTh",
        "anuOQNGkKBIIECyYwvp2",
        "uZ(f&",
        "IQ4SGg8Ivq",
        "zj^c<Lo",
        "EXrNOdGBHNA1raJVSro",
        "zT8pyUtFeY2f1OiCLLy",
        "RXjaYGGAkginMIbKSLc8",
        "opE%E/j",
        "z3E8xvZ1uOKIktjqt9Y",
        "G{zx+Jm",
        "gqWNfOHB2EAOaBfTekV",
        "shKdRe1lFPFy00pRA1F",
        "AeSt8c9DAGEBf5iH2Ih",
        "AhN1IVFHQ9",
        "JpiOZplMlf",
        "zaqojpHwvbc5fbu2o1q",
        "kpOC5tSJuB6oxXLBfBw",
        "0u\"zh",
        "bWv8>p6",
        "FlkOLn7ywXncWVDW608",
        "GClass32",
        "HP93ioGkbIGDN1cBbZUg",
        "%7us9",
        "uLEZogw4dkoYk0KPhYV",
        "v&w7S",
        "awtvrCGmzm2KdN89NctN",
        "5VY#$",
        "Label29",
        "ListViewItem",
        "S9#QK",
        "ebd#}",
        "/'p;on",
        "E@?i!Ok",
        "CompilationRelaxationsAttribute",
        "QlwCbFyIwg",
        "ty4RWTLc5RsciiXc6Zt",
        "numericUpDown_11",
        "TableLayoutPanel",
        "_&S*9",
        "ExecuteQuery",
        "KhXmQSrEOYTGfNHfoaR",
        "ol2sd35sZRRiSyPmByJ",
        "Color",
        "FocusTab",
        "TPBQ8SjbB5",
        "V($}D",
        "lNo@dDi",
        "d5QSvk8BtLd0n2xjjh5",
        "JpL5fFk2nCiCuEuMmgA",
        "V$w5r",
        "ekeNrZ5GEQetjoUWHhp",
        "Rcdte5b65kmdn124AW0",
        "reiTYU0RgO20jr4YsmB",
        "seQXktGVTlXPNWpV7L34",
        "u5J7FUgEDfIUDBvB5nm",
        "h5FR4bq9QN",
        "c0JHBtOnggd6B44PmNV",
        "BuilderSettingChanged",
        "Ht6Tvtvv8C",
        "khBFBbGViH7ovIEprmrP",
        "DOEaWll2f2o3Cysr4JT",
        "set_LargeImageList",
        "( ,!U#",
        "_Lambda$__9",
        "NextResultSet",
        "    </security>",
        "Monitor",
        "eMRTmWtq0Z",
        "%:B?S$:",
        "lMes7NyrnO42ijhQuHG",
        "e9qWtsGIAjwJvuCcjGtm",
        "Cb6B7RGGi9VFdeNeGZMm",
        "bool_3",
        "Connect",
        "z0HqrP4mbt",
        "AddClientColumnEntry",
        "Wiv0iej8r5AK2A4VBlD",
        "NextRecord",
        "ObAESJe9p5R7NcTE4lZ",
        "dKisgAGXl98vXB53eZfJ",
        "ieMDMx1JWV",
        "c:f67 ^",
        "LHWay",
        "jxIB3OGKsNYjeA4WsUBN",
        "Q7$^W",
        "jNk8503knZI7xly6uc2",
        "b| KA\"",
        "VYJGhjGZxNKyHvV6wQTW",
        "egDoq",
        "Oow1jJJYAl",
        "SZWtOEaL3bsXjotsbnG",
        ",B]ye",
        "w6InuqbjYa",
        "h6fkbXGI4a9BuknCtyOF",
        "XexfuJAcqpp2veiE0KV",
        "DgmDNKdaSg",
        "CEZfPYiHicKKBn6t0Lt",
        "v9ALtxcAy5ouGsHuE9H",
        "kDDwvlJFhX",
        "vu/$g",
        "EnsureVisible",
        "pXekKHGIL7Z3maSPdajd",
        "yr8gKpGgaEqbxWJ5OBde",
        "oQ=4Q",
        "Z1 Cw",
        "pluginViewer_0",
        "ylprZ2J3YbrpuBvbMe8",
        "DAv6T1GmYTRu9ygLYfhO",
        "zEm9ju",
        "Cvcus3ielvnq8m2v6cE",
        "RuntimeTypeHandle",
        "_p2Z`",
        "jfjIPF52a1pPLFAMu7D",
        "PSanWN7Mi6DETb9YQd1",
        "wGRi9fGfJng34uTpwCGL",
        "IPAddress",
        "E6QqpoefH7",
        "Kb,dd",
        "HTUA0G1isqX7fc0Vd81",
        "lHFjkmGPyyjrYus5CDfp",
        "mZ'g]",
        "Ip7rHLxOKC",
        "JmUotU5bWh2WhYOhphq",
        "F92MfFVqP",
        ">VC<%}",
        "ClGxhvgiYHi6qAQklVH",
        "tK-E1GfX",
        "$T./gX",
        "OFte_K",
        "gXE \\g",
        "A3K9IiS97Lj71wDTjNh",
        "nbn9!",
        "Timer",
        "oOParZsXsbM0P7VYrHX",
        "*}2I5",
        "a~o.G",
        "pLEhT9KZIDEddsXWC7a",
        "U4J2fDYSCn1e0gJq1pO",
        "mG5S877pWR92YQ54QIk",
        "vZ|En6",
        "TiSAlSNYRLglih6i9LM",
        "ebgCBFbjOS",
        "jyOxmambo37KWDr3DYv",
        "]K1Kq",
        "sWi7Ux30ZSh06Ql9RP",
        "CTeDfw921OohFH11Tok",
        "K8voZVGl1l3Cu6ULTg3t",
        "cqt09MZfWLpgG81sZYG",
        "ioWoot73F048HZHjccH",
        "(wp0_#yX",
        "oPa684GEnPYHWkqAnGrf",
        "MUwKlSGLz5ssNwZiDyEd",
        "BOHGPgRdrJGayoaWQYG",
        "*,M]+uz5",
        "C6B\\#",
        "set_CheckOnClick",
        "RwevoS1uEx",
        "ahcjEwGlRTcvOt4nVL8i",
        "TpeNUOGm8UPPJcXYRLsE",
        "WSAcT1eNAXpdW7uESik",
        "kOCUIdghx",
        "oDavkDBQBb",
        "SK00oALnJM",
        "~VP]X",
        "U3WYx",
        "nQD1vJkolWc9hY8LHY3",
        "Jp00YjR9Vs3y4nxAwTm",
        "r7Q7XM8Y4aGhHht5B8Z",
        "GDelegate18",
        "%CwM/",
        "OrVaAvVMsrYUgGL38xR",
        "set_IsSingleInstance",
        "get_UserControl",
        "&R=z9",
        "NQx9RGK4w4lxI2N4wv9",
        "Jvg247kSbQeupc2tW58",
        "2A!7j'",
        "%0q1kb",
        "eGS:B",
        "gzyBJ(",
        "CvCgSay2fRNFs6V3Y8",
        "ColorCount",
        "client_2",
        "J!|eN",
        "rtaTwybIAcyr7JG221",
        "rYl?dg!",
        "^*\"1*",
        "}pmX'h",
        "xIWueqJioyK66BFXNIG",
        "&Xoih",
        "UqA4AfGzc3tQeg3wMQM",
        "LxYdvm8RNv",
        "x8XUY2mWUohGPnT0TgP",
        "o~z!:",
        "method_26",
        "fnQEPJnEcV1TZ7PeuL4",
        "vp?QEa",
        "XDUMidGAQObGMFVymmlT",
        "~76D\\",
        "{I/u3",
        "qv5FlrFYguIy4ZO1soI",
        "\\zWkV",
        "HostDetails",
        "yIdAgYFpy0G5hFCN8je",
        ";NvEL",
        "F#Hlyu",
        "ok6SxqG5NX",
        "YX1@rC",
        "SkcWauXY4hQUTGerySH",
        "TextRenderer",
        "v7VCs6R6Od",
        "method_36",
        "<?jiw",
        "` e~rM",
        "`0Z7~",
        "0x51K",
        "IxGf0FGgZ5e5Brsp9EpT",
        "FJrtQy1aTZe06Pqfcph",
        "JVfhG@o",
        "Zs~$w",
        "BIMHHpGCQ2rmmmv7FZec",
        "K5D6Q0HgElvdRHbPkU4",
        "YSH10",
        "k4YfZSTDxBw1mcx67CD",
        "D6lNfYUG4Afscg9A94n",
        "iv0wkRGxjnVKAwR48EVB",
        "CuNtPsTEPmhnXAJRdNa",
        "E16Nx3M3xkTenu5q81n",
        "ORFjKbr6cC",
        "uint_0",
        "B7quWnGM0TLnT1vqvAht",
        "fyeY2",
        "SUbuG",
        "NLXjFlXxCp",
        "lhtnW4FusTpZEGWmBhx",
        "CLRCreateInstance",
        "TDj8g6GxflmEDc856qKB",
        "PLGcfs1D9N0pQ2uuMd9",
        "rXuZHIGGYJtutl6e3V1l",
        "SplitContainer1",
        "hb&=$",
        "H3erhOZu9I4BoK1FEde",
        "xkpUCkGVhveLHRwOLo1R",
        "Yobf*_",
        "V0cpCWir8VPjTDdohNL",
        "TTkA9PuvHTHgvj3nNZU",
        "26[@V",
        "n1KVm2GxldUWGUl5TNtC",
        "Mi1QWkVbNY",
        "<1IeZ",
        ";,KluO",
        "VerifyData",
        "oNy581lLnQ1V5vITQLw",
        "sG23mJNVBOniG39N3uI",
        "d96LD3VbFSFPox8Ca47",
        "eYCq8R37oy",
        "v7z ]",
        "ba493",
        ")+fWF",
        "XQRttlGEkA0y2TcW8ATm",
        "B3O4yKNDC4wIwYmXTH",
        "375zn",
        "RctFP",
        "EbCRrxg24o0yEmTZf4K",
        "ToArray",
        "FkZd1lhXK1",
        "LJ1A]",
        "Cg=jK>",
        "CgPRFqVDn4VwFQIn9F2",
        "hs8cDLGbpI5XXJT7vxsk",
        "BWI9r",
        "nRTwN3iEUD",
        "VSnHCDU00XYYN9Cfr5y",
        "        -->",
        "]\\6 j9|",
        "mx3nl5SAT3",
        ">gIWb",
        "QwUs0Yp2ANruWydpwyy",
        "aQ|xr",
        "whvaMhEBQ71cTHLn2ve",
        "hjLsMIBSvwfMBxAt0q3",
        "V)GE >O",
        "UInt16",
        ".EL*R",
        "MCo9kIl7iFmUhaZRrd8",
        "get_Status",
        "Ejq8 ",
        "Kvq6CcGEtQLxJdxloFVx",
        "ContextMenuStrip",
        "jAOqakrhOgGSSQRZuh6",
        "JoiTRxnoSm",
        "FormWindowState",
        "e2WQuEgpCktGxyqpsxP",
        "sPU5oW3EO2",
        "QX6FVvboSMJCXnkKXo",
        "RkjhHjGepLMgu5BkYef",
        "Yxko9",
        "~wm{J",
        "LV_GROUP",
        "Dm1Ektb2mo6EGTgqxl3",
        "HjHY8cvqP8",
        "h*o$D",
        "ItemCheckEventArgs",
        "JReV7UGRcqiteG7TGVXs",
        "z5PStoTfsuZbPvnUowF",
        "SWGFeBwI7qPgn1TGX7Y",
        "uuFlj9QSuKDRGKFGQXB",
        "hpmVpSShoqGtRQnW62x",
        "U3IiE2QiTpg13ceBV1Y",
        "ProcessModuleCollection",
        "M4PRWAGEEm7xNviLTCuA",
        "add_ItemDrag",
        "r^K\"8G",
        "sALRPfPOoQ",
        "rNxAm1PgXh",
        "nF9g(",
        "Le>8h",
        "Tk0ZhiDvqv8plxp8agj",
        "rJ9yYZGXk6h4ew690QAD",
        "$$method0x600002a-1",
        "O7s2RcVXC3XqrB6C6wa",
        "pIRvmJGNfx5QTO384jEo",
        "ht9;<S",
        "K@Lgc",
        "KSRheR1AmAQCgoO2i1c",
        "MjaR7aGETo53A1odKNX1",
        "{*j<)",
        " emMlt<",
        "a8bebvaxPO",
        "aScmT46XujPSRPVLLjv",
        "3nOe\\",
        "PcjDwCqk72aaqmkBl1Z",
        "SetToolTip",
        "Iw0QVdGYUlNvNnjSQxfO",
        "NanoProgressBar1",
        "add_TextChanged",
        "9@e)p",
        "nsScpN4F1LjVnkM6mH6",
        "T4Nf5t6Tfy",
        "epLg5",
        "0bLq#rh",
        "OOU~F",
        "*A=7g",
        "set_LineAlignment",
        "mQ0jRGf5MDFKuY2Rny2",
        "PKa8PP9OmIhy34kRWAX",
        "v6tZvqGIPBeX9XgoVeg6",
        "aKxtGKV9qgoS111TOkv",
        ":[s-x~",
        "HEC5aUh9WH",
        "`Oa]A",
        "Dvfln39bxP",
        "GStruct5",
        "RaUcLSGCVUASONkGKeOm",
        "J~h?wH",
        "YnB1mf9UNc",
        "GetObjectValue",
        "Kxj0BMhceB",
        "nwLyuOD9t9",
        "gMoWCjGeigIsYoKIbtUC",
        "wf'3}~",
        "<generated method>",
        "KXbmGKWcZJVMXtlUMc3",
        "\"x#Dy",
        "lAtfocGmdtLpy4a5hpAP",
        "wu,b|#",
        "kgI7qSIJbyUCRIPywOS",
        "SyQB\"",
        "ContainsKey",
        "T6|<v",
        "BuEjVxSYiQ",
        "sqGjEQ0i54chGfDQuG3",
        "gk2sNytErPL66IiTQwK",
        "FP4j5kUWNp",
        "Label11",
        "a9yf4S1VYgqy2dpXo5C",
        "kT0vCrHUGO4460DhOTa",
        "UKOfSuBYoMuMU85wvoQ",
        "paintEventArgs_0",
        "0\\|W`{No$v/D",
        "~Y)(n",
        "jDQvRvRGdL",
        "add_Paint",
        "v9RcZ9XIaHYE0niiVsx",
        "M^+Q%",
        "XqSY7wSqDaJeqOrwMTP",
        "0pyx!D",
        "\\+=F~",
        "pauv3pxXm0",
        "Y4ya2(",
        "XdgRUpsw74",
        "FRbvHjMemp8j3dIpcPv",
        "SlOGRJGVHoeenLXORyed",
        "get_CancelReason",
        "ColumnHeader2",
        "aK2sOdGRqdunoofyimB2",
        "QJQgFcGrkAVqw4HGbsBx",
        "zSbwH6GRhfHKvsIgxZiv",
        "6F;Ycr",
        "_Lambda$__61",
        "AbryifGM6kRtAAp3DOB2",
        ";6y)v",
        "mTh$=\"Eq$9J",
        "um18RK8p2qr4MS8xhNH",
        "Ap?6>",
        "get_NewDisplayIndex",
        "wML9H7rDNsKEGoThgsu",
        "XTlPDTH1ZGxu01jqC3J",
        "cdBMBpvsh8KGQTN5dkR",
        "']aZ[B-",
        "asqH2qGGSk90PMfMkl3M",
        "_Lambda$__25",
        "( > O",
        "pbnKgx9bqq1MsI9vgZ7",
        "AMapC",
        "Transmission",
        "YOqJhhUSC2",
        "eljqSAGYiQLISFcOtsLC",
        "CGtlCUkNKVFwyd8U2eh",
        "JOj6h=*",
        "'8o\\jx^",
        "IndexOfKey",
        "iZqQVHGP1HhTp6I5HYFb",
        "dS6j3cG8WIexXOPsRaob",
        "aecZfSLAAvfsZAdgrFC",
        "nFliOV6uD3IS5p9mljG",
        "svH7QVxFRhgppaBJmQE",
        "cTPyZhG4aH193W8oJu7C",
        "qH3JMp8G8XMAlAmseCH",
        "CIEjiGhhRYvMhkRKyYX",
        "NanoCore.ServerPluginHost.IServerNetworkHost.EnableListener",
        "QaX9XhMEEbwNYX1BoBd",
        "JIpjfMGVtPNll2ghZDRU",
        "JpNlvufrjuKGEbdcOBU",
        "rgNg1x45hOMR82TLIrj",
        "MMJubEGE4Z8L5e4mYXOH",
        "Dnf0X7lok6",
        "d+<0E",
        "aDFoJeypph97vbTMmJt",
        "sc21hWRL8ac3MGYc04J",
        "WaNcJNSYuI46GQUHACp",
        "Qusl0IbEbN",
        "trMfJvF03DHIMpMCDEu",
        "UP30H2GRpEkV0iLjUE7l",
        "BTOrG03fMV",
        "kaA_E",
        "T(\\1|",
        "MTBBnD4d2A",
        "AssemblyProductAttribute",
        "hP1dMp40aV",
        "get_Length",
        "LYvxzE5PHd",
        "yxMCyFGLWInoQovUZ67V",
        "ugEEJubutK9EUew9dl",
        "h}PYWo.",
        "kL6s5eAFjgKtMHQKeXE",
        "N9fr9Cv0fO",
        "pyx6BwGK2FaJ2BO86P1r",
        "D7xBRBGZtY5ASkDuTbJN",
        "get_Panel2",
        "M*J:l",
        "YW1gMDdcv9Go6AQ24ux",
        "@d*c=4p",
        "FileInfo",
        "add_StartupNextInstance",
        "EhpJPKGVI5fNJ3XnaQce",
        "\"g\\:~y",
        "p9tAhQGKnyRwhG9MyCAr",
        "h\\2<\"g",
        "gclass8_1",
        "mLZOrcl5MWPsSdvYxWL",
        "O71JvOGVXu26faIBNKhD",
        "yJG4G1GxehkqpiFcAadI",
        "ConstructorInfo",
        "EWPYHSoPCdP26hw7s18",
        "IEDfnW6E4obF6QIKInL",
        "iB=u9",
        "Change",
        "XP^{5",
        "\"iPkx6?",
        "_Lambda$__34",
        "w6bNioNKuHQWtYJk54e",
        "kmFvWHP8e4",
        "Pla8cWGPl8vSJDrSffyd",
        "kEM=c",
        "ColumnHeader12",
        "DAfUgt6IFcauQmaExMa",
        "MessageBoxButtons",
        "TFKVqj0ndGkvJMeWDHq",
        "XFhYWJGEr4JUZq5RX4sY",
        "W6wH4dinuxP9keXVfSG",
        "Vq5WOTGMDuaQUDCTIrYr",
        "RRDQWxGklImtwVHSXZHv",
        "LBIEG7G4S4EyW3vlKAEy",
        "lGMni7ayZKuDWfYj76N",
        "vGKM1TpeAZWWPaP4HUM",
        "Qo9ipGWrtX",
        "eal1jVGgTtXj2GtYEUKm",
        "oNMqnLw02heOiReDS8c",
        "SBfoUiGCKu",
        "jI%):",
        "CornerChanged",
        ":<Phn",
        "p0KrYvGhm3KRKMmgklZq",
        "HEt9GDke1UdnqWwLdEd",
        "XREbjs6CZRT54NxmFhs",
        "pUec44LfQ3p7BSS8weA",
        "FindResource",
        "m=sTPjHM",
        "\"oj%6",
        "osBLnHEE6q1lDjJbkqr",
        "ToUInt16",
        "N9J6YEa1pvDA02phRTC",
        "get_DimGray",
        "flags",
        "WriteInt64",
        "o7PZmZw1Jl67DFHFFjl",
        "y0[V'A",
        "oeutFLmUn1B5QXadL4u",
        "[yGR\"q",
        "aMvkvjN1Rmc5pHuc4iL",
        "I5G00HcZ4y4yEwqZmSu",
        "[+kR!e",
        "h/I28",
        "VS_VERSION_INFO",
        "WidgetEntry",
        "Yg=P[",
        "upQNQLswOVYmjVYq86t",
        "Mjt1cZGC0ZxN7kSS5CLJ",
        "jlvt7YGLZ30xlOjTHpFd",
        "u89V0IGrx0oLx6w1qqtp",
        "UnhandledExceptionEventArgs",
        "oIWMSwGhybTPlUZlTv0p",
        "MEsDVk57VyhkyNSm7fq",
        "t3@42zA",
        "LogBuilderMessage",
        "nBC{i",
        "mCJhZuhc9eAqVBZaR2O",
        "{VEDU",
        "qDEnvoUefs",
        "Iv=7^",
        "Q-7*[",
        "XkHAGPVocGL1wcKPfAd",
        "Ri5#8",
        "Xnh6hyya3L8ZINTyn8F",
        "YW0Vf",
        "$ga.`&D1o",
        "ColumnReorderedEventArgs",
        "gclass19_1",
        "DeleteDatabase",
        "n5pQTQGATbno43Injm8w",
        "jYXhqDnIrEqZfR3RATy",
        "\"$2%ay",
        "Label1",
        "UJ>'9",
        "S4dvIkG4F9L7VHK1rF1h",
        "H8qAqZtwjfE2ktNhYk7",
        "nthvCBqDX2",
        "'>O=`a",
        "yeZsthFm6TR1ByQsKc3",
        "Chg4nTGpEmPLPcsB0Un",
        "'w4)h",
        "TryParse",
        "XxQcjf",
        "Height",
        "address",
        "P\\%\\m",
        "VwrRAxvNCNV1n4cqaNL",
        "ex7Nd46tyT",
        "eCLQHPW1t4afOgkJdSh",
        "Microsoft.VisualBasic.ApplicationServices",
        "qk1PaKOpFB",
        "tc0vA03Ixs",
        "E3eeUCxJE3",
        "IRKCXfO4u6ZA2b03NkG",
        "xMvYh9ySbM6pcymPpCj",
        ")Bc, ",
        "5_BHX",
        ".A4T|d",
        "GghBwMHr9tSA5qrYhNJ",
        "yY{e]",
        "kOrSH`",
        "puwf,",
        "QonDnYwqjPD3nCG8t6T",
        "4Cu\\J",
        "KthqaxRi1gD3xAJyrZ1",
        "_Lambda$__12",
        "Lfmbv5Zrx39uDnn6lTY",
        "add_ResourceResolve",
        "UUvn30aMvqxtd0CYrF9",
        "BWkf$",
        "PwS5y0GKPxZ1LQvUY4aJ",
        "BPa2HB",
        "in7P5EGHow2N6038Ic2",
        "fvYlhJ6R8T",
        "NJP5D0evh6",
        "sO/Ud",
        "rJVsd0TVR7DRx1Bu4Q",
        "h ^z>",
        "Random",
        "kllaTVKzOhJCqtkgDVT",
        "BytesPerSecond",
        "{iwT8j",
        "htYXbuSx0rgOMGvdMA1",
        "SdWkN0G812hnEGKnKA4D",
        "JXjHdEfY84A6LIVGT9a",
        "message",
        "sUaSF9GgsWS5jFiyPqrI",
        "&Y5O'qE",
        "panel_1",
        "JAqfT47kN7FLbkYuQdr",
        "`e?LH;W",
        "NumericUpDown3",
        "ODhnDLGsiGJ0anjhqhY",
        "hOlii",
        "_Lambda$__56",
        "rH2RQVHC4J",
        "VdIpXIaR896Uv8FF89",
        "K6hsVtGeSQ2dmbW31aKL",
        "Xo6HMScYOVCY62iG5sZ",
        "XM4Mu6GycCm9MNBom5bU",
        "System.Text",
        "U8Sw6qGyPpdB8o72A6bo",
        "U<hrp",
        "  </trustInfo>",
        "GetFileName",
        "u4nVbiGyY7oKXbD3A7Gt",
        "set_UserControl",
        "rWZjDFskkVNkBPKuOAx",
        "g)FkC",
        "CbdYg6Q9XoGTRVpA0D7",
        "iEpQ3lNCbw3OSDBCWWr",
        "M_T>Q",
        "method_21",
        "MB8wc4Efdj",
        "n75KdFGZpRZcnBeXQHPI",
        "mwaQJlFjkb",
        "PUyyPCNYR8",
        "^f<%`(",
        "mCNdF7GLlucTZ8A9uYiG",
        "M[uulu",
        "XhQPXQbGjRZt7tuJQSQ",
        "TKLrSiFW5a",
        "h4r%D",
        "GhIRSbZZpU",
        "i1ZwBCGxyhQGsRrKiQcG",
        "_nfWp",
        "YXxjEe8lgvqXIFXiVvT",
        "add_Completed",
        "GItpy4GX0mT1Wshm04aH",
        "Xm@BI0",
        "i2AYZZsH87",
        "WhTvi5yesrqkPcQKejp",
        "hfK5N6GeqyqRv0FjR5JB",
        "n3kr5eGh8ayYqcB7g7rP",
        "&Aa)5",
        "(&I^4",
        "KcAjsN4esx",
        "controlEventArgs_0",
        "V-enT",
        "AssemblyBuilderSettingsControl",
        "Rv7qG2RndhQZ0uycu3O",
        "YCpEqmGACiB5m1N5JKll",
        "SBUl%",
        "LGo7ZATHP1p76B6h7PX",
        "TabPageCollection",
        "ueajtAwLq6",
        "E7Y01V7iJyO2TtaRZIm",
        "J\"s](8J",
        "FvXomuAN5yVn0U0mMlq",
        "mqFsGcfON6jDtNZjhnO",
        "VqqZonGfwQ9dDMMJistX",
        "gXrH8ptq9oAh55h7117",
        "hKavJ8GNl8ZvIy98Popb",
        "GQC-[",
        "pUQX17FaRbrekadgqTl",
        "Lfx0q5NkQA",
        "eXYFV3",
        "tcnH07kU64HVUP63xbp",
        "DPrugGGmXr8kMdYx7Ddf",
        "MemberInfo",
        "P[D%}",
        ":G:Htc",
        "QejTFSi5we",
        "J8HSj7xH6n8hgDrw4UV",
        "NBJWSdGEG3Q8e6RmpXWl",
        "JW6DlZ5ISddurB6fnRW",
        "CwsyZhGI88K1iDglLBSR",
        "HwmnB3",
        "lGnxCAM4pl",
        "Okm6?T67",
        "ltI38nhCMkex9xeNT4m",
        "ProductVersion",
        "MXdo75iCTuegxUeXJer",
        "DNCq9AwDP1872lgB7CY",
        "IwZQt200hJ",
        "G3mrPxPFE950vwAJ2Yw",
        "DebuggerDisplayAttribute",
        "dElPT3GgAA",
        "KCGiwhEkpBQ1O7GUgrK",
        "D0ehTeGNeObRPwmNvAv1",
        "'^l55",
        "5M\"=v",
        "gTP3kSGmKgxHJ9vp5ufN",
        "E5HKXRVvblfoKZ1ywUH",
        "SxsJHkHqxX",
        "rfl3Y2clJZmFEEuVcS6",
        "D1AxXWj0quXYaihKKu",
        "R5D55ohPy5tFWLAwU4H",
        "L:RIXw",
        "ColumnHeader",
        "Socket",
        "z:?%:",
        "ColorBlend",
        "Uf1h4pqAj7QO0k3HmLE",
        "LogViewerForm",
        "remFtr8zpl1BU8sjCiu",
        "StartupNextInstanceEventArgs",
        "4%f VR",
        "z$g @",
        "JBZd9CQIXl",
        "AR4XtqqxAPFUxhmjyvZ",
        "du1oct0uRJ4drVpEDZ3",
        "HdRvUEGbcinRKBwUFjFQ",
        "AyRPOofAuvbgrv8epXt",
        "xxbgsjGnnnr371lxmnTi",
        "T06HJDGXSllIhWTKFjr4",
        "45(~\"%HF",
        "U6OB06",
        "IXLmdajTG6uoFwIQlvy",
        "c<H}?",
        "ceC12gGLc25GW7ceVHST",
        "eikx15SrVmIurS6I3P0",
        "LGDlMGuoYlji6xdrCn3",
        "fnTmMxGKlgBOrpmFQ8fc",
        "LZPeo9ceU8",
        "zucwJmVzY6t5ZsWkWUW",
        "k5AOntGKWXUvt5PTcQEv",
        "IORSakN8S0",
        "HiDJiPGgJPkXfoyG32A5",
        "4Ro.Q",
        "$I@^leD",
        "XgCxR3GhtfHQPQNVLQkY",
        "FileName",
        "X0mDviGMbBccnsqO1OGh",
        "d^9o ",
        "cwDWdyqqDL4xsTLc1kU",
        "lhI5SBv8dh6IfJhIgov",
        "UploadValues",
        "k|^}%",
        "rywD7gS2sUDK7nJSOii",
        "NCdnL5niLx",
        "MGiaQ4PvP8ZJRhUniTg",
        "J6fZ8Bv77mU4g09hRn",
        "QNFimmviZ9",
        "lIR7wEGb0uFZUS2fhHbD",
        "oV52e5BdPlgUqKN3Jtl",
        "SA872LMqrnCMyVSZWho",
        "SendMessage",
        "ebe1TOGPxhysFFjpKtQd",
        "+ipG#",
        "OEe0AxInOqjGXYeHG6u",
        "yBugcbmeQdWaa9lvenm",
        "swdq_9",
        "tpHV6&o",
        "k1DBROLBsQaXwY28rEf",
        "MHWQvjkkDNcObqWUSDj",
        "xgCANyt67rFansKA5Z1",
        "uqn5HJ49Sf",
        "UjwhT8iOjO7blc2NkRA",
        "Sk8J97rsca",
        "X82WHWaQ9gsXoaVl9G",
        "BV5)x",
        "ddP299",
        "`n(J3YQNK",
        "YaOr00E4OjyX4O6GDYy",
        "hawAXoqCHFbVnv0Jf4Y",
        "Diamond",
        "LHxcHAGgUfnOrMXiFF6H",
        "(~B=<",
        "HE0RcsMabN",
        "t6AY[",
        "eGT9aXGg7p5HEciCd24d",
        "e+%``)$",
        "YYBJvRu481N995yqcRT",
        "veEY1SGEKtckVlr2pnrY",
        "VREjM0nAg8",
        "CloseReason",
        "vKIIFcvYStRGEl2bdHS",
        "g%zTG+",
        "Dr7re",
        "get_ControlDark",
        "RubVqMuHf3mW7Jw8tmw",
        "xF1JAkGmPSc3NiwSU1cj",
        "CSRE5jklTFwLvyXCpPZ",
        "KbGg8GfcCQZ1SGmvxtg",
        "pfolxt45vu",
        "ttwHoa72J4f89ATIn7S",
        "set_Colors",
        "gyliInNtxhCZbwkudi4",
        "Resize",
        "araZqKGbFY6je1EgUGjI",
        "WpcfJFSoDX",
        "crNbVvY6Wc",
        "~9 !VR",
        "ContextMenuStrip2",
        "Y2Ev4TTEGWkgtveMMul",
        "NZi8yeGGrATq3Qset1wj",
        "mLNhZ",
        "      <supportedOS Id=\"{1f676c76-80e1-4239-95bb-83d0f6d0da78}\"/>",
        "lmJJnwlnqSkNr0S4xc",
        "Split",
        "IPl4pWSX8lt5vmikIR1",
        "%@|i#",
        "UWD6eKb3ZsQ9kbEuyDc",
        "dg0iIngW4X",
        "HYsMHLr7dsdeyEExKbS",
        "cdcQXs9mGp",
        "rs048pgQ3Do4GgfJZSp",
        "nV|1<",
        "iHa5mEf3pSAgF2O90LE",
        "Oo02<3",
        "*AEq6",
        "XxFAdgKIoduhGOR0lA",
        "contextMenuStrip_1",
        "OeATZCF1SmX2jWFM3fR",
        "SS1oZd026ssKwrJgVmZ",
        "uxXkx8GGJWbafwZRkaEP",
        "gWr5q6CWQhUh7v4pfL",
        "WScaaGGXA6HeitYvjR5y",
        "g@aOr",
        "I|s\\|",
        "Process",
        "2IkPV",
        "get_ServerCertificateValidationCallback",
        "gsNLPoatCQEeBlD6whH",
        "EVu58Ps3El",
        "EoJKHCG8A75GOBvOvWIX",
        "b`>&J",
        "Xm653HMg0j",
        "uvV1YEh0PITkJCkKo2",
        "dbov51GgCp3kUDcVpE8G",
        ";0el:=",
        "|2q0:",
        "_,?!F",
        "Jq5bnQHwkk",
        "pqAqAy69h3Wxp3yCgGQ",
        "MXCXDoGyNfNh4hJsptyS",
        "System",
        "get_ExceptionObject",
        "NKwL3c2wlZYh5f3qrKg",
        "g4vWhkwlo1HHuM2Bjd7",
        "Fs$W1q",
        "nL6qp",
        "\"C@u4",
        "kjcjGIweiyUkb5962Gd",
        "#GUlD",
        "Q23TagoQlDneAW7vLjh",
        "ik5N4JGxbVfX8rJbyV0D",
        "klFxwdR0VZ",
        "Aa5g8eGRZhhuJ3M3JYt1",
        "mSlpEkMKiJ93U76lEqa",
        "haAnCkGyKYFbFsqclx7h",
        "kMsgQl",
        "Y+0~/",
        "PRY2OEdepIBUZ",
        "D6u1NvX7qhFei63O3vj",
        "Gi2bvOQ0so",
        "fYHSJsGrPGI2YoGHpqOa",
        "set_Bounds",
        "nBeFs2ODcunOFPGAmqS",
        "h4Om6qG8cIgBZifunFEQ",
        "SioPh",
        "chaRKABTCy",
        "E5jdNJne9F",
        "JjXNX",
        "s8xi1sKqQB",
        "FD/c(c",
        "HXlY9",
        "NJd0rgRFgkE2iZaElix",
        "QmJgnA8wmqseWwPHZyj",
        "wVNHyI5OFpfN3HUEO5f",
        "fVK1Fq07lAAagoNrbr6",
        "rDjbRyGAtKGoUtHIniKe",
        "qC~~{",
        "e-\"}Q",
        "hIBYe7Xp9wJ6rIO3CIs",
        "w5iiDPM2sW",
        "TmciM",
        "IconDir",
        "mo7rMoR0ay",
        "Fq46WZxu1Ne2YNIWt5t",
        "set_ShowCheckMargin",
        "ERPT7lDEQ9",
        "get_Goldenrod",
        "_Lambda$__82",
        "abFShMG4di",
        "W4ihGMxGf6wXrGKiw6S",
        "DmjJO9D6nD",
        "PMTIqNsf9ylw1dYFM6o",
        "p08icjMJhiXPkvjgyZe",
        "TabPage",
        "vMAB9ghsbC",
        "z69hD0Ypti",
        "lXSdekaFxN",
        "SetSocketOption",
        "JGyjx0JxsT",
        "tajY9OWNMa",
        "OnMouseWheel",
        "0Z~Duo",
        "1f-mB",
        "SJ}C1t",
        "dQq1Cx1VbcYWHUehew.artNy78tGiZRfZXjIU",
        "rC,z9",
        "On8oItnaQwa6XIqWJHK",
        "g7Pprq",
        "hpDAyTFUKXmHWE5r2jp",
        "r3qkDZ2x3c2BjlKy5Qy",
        "5\"098=D",
        "0Eo8JkY",
        "C6US1rgMcN",
        "8KMC$",
        "Nl4RJrjZhd",
        "XKRxxvCNXq",
        "[2L;D/",
        "u8q2ncGrVexe4FsAUKFR",
        "cabCGPGnRAEPHdNeF8kp",
        "VfUA5H",
        "UrjndZ85AAesq1q5NcZ",
        "fnJN13hIY10B1UQ8mQ",
        "System.Collections.Generic",
        "response",
        "rHGZcoXG6mRmRV0Iw0W",
        "@{{wx}",
        "ehNqYZfqIyhCksj1iIK",
        "WlGEDV7CkbcjruuCekA",
        "9Z?t(a",
        "VZ90GYOteVCjhjJJGxN",
        "Ay)+;",
        "VJmTdqoLQ2",
        "Dbmjy9lvmg",
        "gclass25_0",
        "FkPv4bXSEc3vI2JJZBq",
        "set_Multiline",
        "dclXPfaIdNEFBwJZNPW",
        "7#<ks",
        " V_yC9",
        "aMrMwdFKyi5xsPSV9q",
        "y5wCnvZ1hf",
        "midvbX3BhA",
        "QPAZT2GYc0Sq1VkbGcXq",
        "\"xaZg",
        "Xti5@",
        "SetWindowPos",
        "DirectoryInfo",
        "JKdSDMXtfw",
        "O2vs<",
        "pDo12Jk4Kxv9eoxNWEJ",
        "BW1HepTefggiN6ZdmCX",
        ".BC(?",
        "knkPyIWToFQuCA0WhnO",
        "Timer1",
        "wL1DQFYXK7",
        "GqpOQn4al9",
        "EnN1clsxyFlCD6elZBI",
        "ItemDragEventArgs",
        "ZV^pE",
        "vWosUyGeFQPNIb4UtEag",
        "u25ejbTKcK",
        "AglEXF5wN1Ko9kmvuSm",
        "+/8yF8",
        "Xyaf4muPV22u6WpaQ1M",
        "ServerPlugin",
        "k$Wg;",
        "FromRectangle",
        "ykp3hXpiivw91PBKItm",
        "jrggH76MEelnJRxCZpu",
        "h67897qSrchQcN7V60d",
        "c5CpyGJtcqgXJECGdga",
        "aMXmOwYTC4B6PG8CwiT",
        "MWTdpV4MHc",
        "L^.7V",
        "z=axT",
        "aqpqpv6tN8r43bJRvik",
        "MoveNext",
        "icNoS5Tnw9",
        "UpO4dLGLBkgPvjB2fJhp",
        "\"I]Ks",
        "wTL6vDQ8NXJUePOSyQj",
        "cH7QY3AbddDpUXpm6XQ",
        "0YK+J0",
        "xIw0tD4oU5",
        "WrJ.L",
        "WRgtMrJ5vJ6MOuCSJEe",
        "fK5+7",
        "NUV#B",
        "nKl~8",
        "mE72QhGNCyrTl8MSg7SQ",
        "gdelegate0_1",
        "xLtdh0L12MWa0RNKJde",
        "gdelegate23_1",
        "KQCnxg23w9",
        "r)(+o",
        "m_ptr",
        "AHSODLGnfefRLRm21FhY",
        "s88SDfU7pdBr3my2jec",
        "mFreCnFEROCqi8MBQgM",
        "SelectedListViewItemCollection",
        "MdLblrLtqu8TmSCS8lF",
        "X11V!",
        "kWQ0bpjnofPqfyR1fTB",
        "Assembly",
        "WloB4lPkEW",
        "x3i1bLFQeFUBSoys89R",
        "Bywyz",
        "qar(6",
        "AJynTCH1LP",
        "IX5cN4",
        "4}'Lg",
        "5}-I.",
        " Re QE",
        "VN1WDd2YOfdkRrxp0hh",
        "S5rgeN8uMefXTFXoXER",
        "UmwLTIVRi",
        "Xm8rR1JiNB",
        "YHgLDfZ6FXTcJeIlOt8",
        "RadioButton",
        "jh9KyhGgiWKt2TvxyCbM",
        "*E!iX",
        "YNaROPWSweOEYDa2So0",
        "M\"M>qr-",
        "jN9FCBOBfm1ZfxhIdX5",
        "uF7H7cvIYR8pIwPcvT6",
        "set_Dock",
        "GroupIconDirEntry",
        "TjDq6YbvZp",
        "get_Disposing",
        "KQLCyuJtfU",
        "qdYU1",
        "YMjeTtKkOjmn0Cgq0hm",
        "Persistent",
        "ITtfXIACeKim0Qcy4vh",
        "C2cr6BaeW1ASX7WrdYv",
        "GO7i3O8MLx",
        "RqOiL1mrH4",
        "sxpZSMV7hD1uG8VEEW",
        "x6j6FsU4ARKefvjGtOm",
        "zWg1u3Yci3",
        "ShowWindow",
        ";'N(n",
        "SQjYlsQKfSipfJXUU8u",
        "aop0i0GROqMde8NrIbxP",
        "ns2wjdHyiF8Je7NUHDH",
        ";i&~3-",
        "RAqt7Je8xatsQTQG78w",
        "JTk?S",
        "CUAjL8gziEHKU11MH8N",
        "dhQwYy8LnSPE2ZvgGHj",
        "aLceVG1mLm",
        "FEjtO0GRHTvhhJJvXQi0",
        "uhxwOSeRDm",
        "HIRARZToXb",
        "+D8Ay",
        "2]!H0",
        "USt,Bq",
        "JxAr2IuElH",
        "wrEHqEkR2IXq5WH0pfF",
        "lRB5CibjVWvAW8vJlp5",
        "KUAeiMOV5HTfj8mbf4",
        "w93qHyZZOK",
        "kajsdEFFZU3g2smjn15",
        "*)#d@",
        "UV19Qn3EUwHBtuQvRLM",
        "GetHINSTANCE",
        "iyXr0Rc77u",
        "GetExecutingAssembly",
        "l7cgZ",
        "fgHqIVNRgt",
        "5CO($",
        "BeginUpdateResource",
        "_{Miw",
        "SuspendLayout",
        "<asmv1:assembly manifestVersion=\"1.0\" xmlns=\"urn:schemas-microsoft-com:asm.v1\" xmlns:asmv1=\"urn:schemas-microsoft-com:asm.v1\" xmlns:asmv2=\"urn:schemas-microsoft-com:asm.v2\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">",
        "Delegate1",
        "tiU7KUGCuKQQHQf4lXa9",
        "ov091ITSVNaJ9PseJEB",
        "EGsqbS5RnY",
        ".zraji",
        "dR2oQseini",
        "sGv0JvCU6C",
        "hMXhGkWtBiPhUOgjGyD",
        "4ZFpr",
        "RlGoGOGXWconhbGAl8Qd",
        "prZ>52",
        "1l7:IT",
        "EscapeSQLParam",
        "aMmssFG8GnKXxJk8u0EV",
        "c!NtL",
        "WY7aa9PfsA9LMps3p0R",
        "set_SelectionLength",
        "kDyr5YflfV",
        "RSiTLuemhR",
        "DEgwNFGnZ9W9Iw9aEjSR",
        "@s$-VM",
        "ColumnHeader3",
        "aX>]Q",
        "hBBeIlN93RcG0efIlre",
        "ST&Vo",
        "vZ`c|\"",
        "c79VuszhXslBx7oD5La",
        "PLfDo5bweX",
        "#\\pdl",
        "L82F6AGCyTcV1jQW9wwV",
        "L<!~!",
        "cFkKn436aS9IToTFwpr",
        "Uyrdg",
        "get_Error",
        "O0MwbR44r8",
        "swB/h",
        "Og0NI4GMxcX4CuBY6OPp",
        "GClass10",
        "DockStyle",
        "BUM9q",
        "p\"0Y#",
        "WTAbiQdJaN",
        "set_SelectedIndex",
        "TxWgpLGmlhphbdd9GbSb",
        "fRVvidUAKLXokwC4WTw",
        "wtd2vVeeb8HB3Av0kOD",
        "hAg|Q|",
        "dF2Fy0x80exurIJo0if",
        "lgkG7LWU3WUuqNn9hd7",
        "HoBI5JNBwNrMhEITY0K",
        "h-+Qt",
        "svE2BtuyvtPyjufliV5",
        "'gRuyo",
        "ron1QRGy1VGGlc54q0fH",
        "GetFiles",
        "FileTransferAdded",
        "hbVBp4gIq5",
        "OnOpened",
        "Gq9caNGL9jIcT4F5Rdeb",
        "Vd9VMOyoy1I0TlOsItc",
        "set_DrawMode",
        "wXiL65GhnSBGVtEjbuhB",
        " f!%+",
        "sbpHvy6OyJqnmA4qAaY",
        "ylwuhmGG06sKxpm7DVYe",
        "kRaKBOGXtU6e08yqSp5o",
        "WWW1LpGIl56vcmjhZfTG",
        "-ehKhrd",
        "!Go2h",
        "F0jeL84Sqs",
        "nQvCV6m2f4",
        "Format",
        "xMFMB6dM7t0e6BYI6XO",
        "YlU7kqSwcr0XpTTNvA",
        "bH?Wphq",
        "`wj.Oe#",
        "cF$me",
        "add_Closed",
        "rvgBBMiryV",
        "a1KI7DciE7fVo9mmQ9K",
        "njklcpwA32BwMknhjVu",
        "oDAR3d8T5nIeDUOInsg",
        "get_Background",
        "TKAba6rbD2nLOCyOMDn",
        "GStruct2",
        "rRUZ6r5Vw7PNsRgsmyQ",
        "yWh12",
        "4_<S+",
        "7i8-F",
        "'ADwb",
        "(a1 d",
        "MX20KLjLvB",
        "OQJdYdM0ij",
        "UM5YI9imxh5KUBUmJyd",
        "B0N0QuYYF9",
        "CreateEncryptor",
        "%cXTG",
        "RuntimeFieldHandle",
        "IoPVtRGwo5hinj3HeJ4S",
        "-x)|fm]",
        "sU8* ",
        "VLfVg3XBa4Bsne9ReWc",
        "IClientAppHost",
        "u!g_F",
        "|xT#z",
        "aUR6hXJqCk",
        "BaC53JGwc57JGEgQ1wJ5",
        "2UUPK",
        "lLPWXhltcBCjKjjtRH",
        "fqJPlsZZgwWc75Jkh6O",
        "inI6qXJQrgPNPHoL7k4",
        "QcSGdGc6WGhaMNplJJf",
        "f5SbWZnhCFESK2wSO8B",
        "dS9SdESYGT",
        "ORIk)0",
        "jFFS1",
        "oACwWbMpSX",
        ",1%*S",
        "GetData",
        "%zo}c",
        "zI8Tgb4INAWbp2g177",
        "K56quFJGbWVojgd4wov",
        "vusYXWDj8i",
        "BT$l;",
        "pteutIjAn7ZVhZhu1PU",
        "pRA62q9Cl4flxCqku4u",
        "h3KNORcO3ZI1iKyLJ0h",
        "WSJKJ",
        "prAJbdJGov",
        "GStruct0",
        "T4ZKkh1PWLlUjm6fEIQ",
        "t,40-E",
        "FromArgb",
        "vPTATYqmjvMlRwsZSeY",
        "j#w]'B",
        "{}OI'",
        "Planes",
        ")lZk+p",
        "RWVbmg02Rv",
        "TimerCallback",
        "X5p6uPO80y",
        "get_ApplicationIcon",
        "checkBox_7",
        "Q2htojGMHxWjJbmEBYvd",
        ".,gpK",
        "Z\"N<g",
        "Oe?29",
        ".~JAb12r",
        "TableLayoutPanel1",
        "a7OnbhoPfr",
        "r=gr8",
        "eWsloGs1I9UNOxNmKPN",
        "oLqZVMuS2AwLq7flFFx",
        "ToolStripDropDownClosingEventArgs",
        "(p8uI",
        "g6cbuxuEbT",
        "[sO!R`7",
        "add_Click",
        "NuI3dD0IkSvrKqZUUED",
        "GOfgBeL4vGAbgfWvvjb",
        "QMxs1RGWdTrpLY8ngbJ",
        "UUuyQQD8vL3aJJhRKRT",
        "8d7Y-",
        "gdelegate1_1",
        "K;8JaA6",
        "oKwoJ6eHdu",
        "xejKjKibbfTBs2uXJ3h",
        "DHukV2GxSALaoV8l3s9N",
        ",]JxZu[B",
        "EndUpdate",
        "JKD>iX",
        "auSadoVA3xyA9BaRC58",
        "BwktDWsJI0SrtMmMTV5",
        "%n>M_",
        " ~?d]",
        ">qQUAAG3",
        "mtH0tKunmxjtd9KxVlU",
        "zuqCehEnIp",
        "w7HYPVrWsqDIcyS4Kag",
        "[}&l>|i",
        "UEGK5a6oSr0V6WAILwH",
        "ydZ7Ni3Pph53ouOFX12",
        "I5ktWk0SeobMNNCCiKM",
        "|ct}[",
        "WCvxNCn0wstgFF4iZt5",
        "NavigationControl1",
        ":T^AumU",
        "a5uFkyAxKnNMSpPCKea",
        "ListView1",
        "get_Y",
        "GetManifestResourceNames",
        "KZkUbKN",
        "mZEbEGXJqU",
        "xq4bWYQNIA",
        "LUEcOOGGwZp6ooEi17GP",
        "av`|3i+{",
        "aPbVou9PC00LwlhAbeS",
        "ATIRHbB9LL",
        "hQnL6MGLGRX2Mx5YZjnK",
        "opvwQ9oyMC",
        "KrWGNXoJQFl8Zqb8bj7",
        "aGt17tGVPIBB7skmF0Kn",
        "add_ItemCheck",
        "D5o6XXyvrXQ5NpcGy0Q",
        "tabEntry",
        "Jokv2irXVh",
        "+^:f\"8",
        "oKydZYFocP",
        "tKKwXAyCS3GVeSZqyS9",
        "NFRd51RUdM",
        "HQyrBAyBdk",
        "_y!l U",
        "ReadProcessMemory",
        "SNSUJtPxk1ubvnufaC",
        "q9bkB",
        "RICcVMxtQ48nBtr65c",
        "USFIwNmh3PYJ7lvUAwR",
        "TYKdMmiL9xXZEH6fKas",
        "FyFYkbFIMQ3CY7IKeZl",
        "s3GYRfRSdbBdRjArcYk",
        "FWyYRXqI4kpelyCuroC",
        "JiqUbQGXjtv2uaq41it1",
        "PQywraGM8LpgtNLjcSHL",
        "ON_HP",
        "zfdNT3s4F5",
        "tJZA<",
        "<dFdXAW",
        "n#jC{Y@",
        "fBAP0bFqBA",
        "mS5aHHNIbM19AjMI5BC",
        "tbphiSGG1ZITaSxD0ngW",
        " >vHD",
        "lgU\\h",
        "UUWn6WGKBNjGDYSnLNaV",
        "gphQ5WI7fr",
        "M1XMDKUHfk68vUlf9YG",
        "p8xvHWauyAXteW4JwrQ",
        "zq3ylF7AcO",
        "tSpPE7GGkoTi8n8C8bSw",
        "vG)c{;)",
        "eXeVPH534",
        "jkPoxvjhuX",
        "sQUIfVG34hCNHUW5e9C6",
        "Synchronized",
        "get_Checked",
        "lndv9WF",
        "olH0zQPBvC",
        "F0f3Rd6KUOy0dOC9TB",
        "YWDKJ",
        "set_MinimizeBox",
        "AHmOkM9oNuEiklEhyL0",
        "pmF0btqjr62223pCF5W",
        "RahmoHGhKPuJpu7MU8WT",
        "6&5sJ",
        "set_SizeMode",
        "wE7SeYFBD4",
        "GGgifqpqvq9XLyTZCDt",
        "OWrkf3IuxLYTfjLMkb4",
        "$k*C:",
        "yn>zk",
        "hhxOvl71uZ",
        "HOEjVYg3TSOidV2Dgtu",
        "G2PDf1uCWdE7L5nlddL",
        "oBTiCrFsLZ0O3UcamOK",
        "kf3YAwYuJiH9ItnTDh",
        "rlJeAEakvGTylJNaoJw",
        "eGXAYsGA8xGe7cvAlOHP",
        "tRcRlh7S50",
        "j3idq0Ykq3iJnKXdD00",
        "LtOOwFdyJo",
        "UkT42i64F9bGeqvxt5k",
        "PaintEventArgs",
        "lz=`{",
        "cagd07GlznrYJRJGGcvS",
        "C2gRcNItsaIXdHJUo44",
        "Write",
        "zcfk6rGA7kwwPO4xYW1a",
        "MG6Wv02OukyB7b9nHmQ",
        "Rxa6Q{VL",
        "nis88hIgKWySWVBhZtX",
        "set_ShowIcon",
        "yb0yVCJUmh",
        "/wzzV",
        "PC01Hn1MMk",
        "1{\"*b0Y}g",
        "wGEKwMrlCgwmrMRM5WQ",
        "M^c|f;->",
        "TabControlAction",
        "rNue1",
        "AuWONubaW1kOhfAJGIe",
        "AddSeconds",
        "vOYYhBGAG2o2pdfn5La3",
        "oE9GLAQWnaiGYib26oK",
        "2O4d/",
        "kS\\ES#",
        "xPH7jWJDUA7u56LsYFF",
        "aCu3t5oleTIG8tdRYqN",
        "vKe8irGmQcOuxa6KdcJR",
        "DQkxQiP6ETYidxjXf5W",
        "ntRTPEQziSVpbB86yUs",
        "ArJqkmGYvqk59fNXiXOP",
        "CfKyKqkPnHsBOOAWMDO",
        "Qe7xj1Ojw7",
        "za1xyEQhUw",
        "BXSgPDLqu",
        "ED4|(",
        "NCgRHjYB2P8TkJYFgdk",
        "SX2t7YGCD16EqU4duVgY",
        "^CB^.",
        "eTEmutDB8Wol8fjr9qM",
        "iOtSqBRvDKFZyHQuD1r",
        "z1njCU78hg",
        "il936",
        "ipBiSegIrv",
        "yI`J9f",
        "j\\<=~4",
        "dB2uH7U6TUyoiByonD",
        "fBO6fHFQI",
        "HfdW6RGm0GZhwjbcy3KP",
        "3HQ{b",
        "PNKQFvBDOk",
        "ControlStyles",
        "qAV6GL4EsO",
        "sVT,]",
        "GviHT",
        "WBhvH4MVan",
        "xDEcnhznBdlPvSpAa9d",
        "Pq<E@F",
        "vmqwKK79Rt",
        "yvHD?",
        "D73iWwGy2UsCuN28tSfT",
        "kn9rKLQFAAiBok4vZ1I",
        "YMLG7FwFNxCWfW9q1my",
        "DGNjm0W67q",
        "oWHC3u3Ab2",
        "VN2qk2GGFtZAlEqQp5Uv",
        "alPpUgGwegGW5pfEwpmC",
        "BPKlDs8dE",
        "aIXw83TwZR",
        "hkeXhmGMgitEGWa8aoSg",
        "l.?6$",
        "|ipzU",
        "get_InnerText",
        "JfutIignswaj1nndV43",
        "fxIGL7Gx5IPN3N51PhCh",
        "x^iLUv",
        "TXpC$",
        "acvisDgUBt",
        "t1XVLTr5kBfJXjexQZu",
        "SHParseDisplayName",
        "q7siRZBcic",
        "EwWyNxGhch3eOjPVcmag",
        "citfUfjiQweOZYx8lT3",
        ")`/Qv",
        "khcYS7wMa9",
        "Header",
        "!&$obh",
        "IZisZqRMJ0IR91YB9PR",
        "FromImage",
        "oHuSHWPS7lIvD6A75Ys",
        "rxBnwHGp1lIwqt1I4i6",
        "GZ2S1aGr7I0pUBetGl91",
        "nnES8EfTWo9glWjV5da",
        "jvS6LmDAJrRc6YCwuaB",
        "cP4xlCGALiKH5gmanln1",
        "7Q$)D",
        "uVrTYPTjC79W5Sto5o5",
        "|+GAt?o<",
        "FjJ3mgFVCbeUqYOb4S",
        "T`9oZUB",
        "Eoo3SKt3IYl5nQDD8Jc",
        "get_Unicode",
        "aIVGAUG3x4tSyMjFHg9J",
        "7p(]U^",
        "R9ShElGxikBnFdeivbsa",
        "agZjNvGeyp3OYcEnPrPo",
        "VKNwhOFE4r",
        "rsc6Eh1Y0S",
        "2U?Ke",
        "cVWmlfs6WMyOERAOGQJ",
        "KeqA8kvHrn",
        "{iB'-",
        "K3L!=e",
        "OIxrStGf3Nv3O8sao4Pd",
        "Ts7lgYKALO",
        "BujIJj3dyo8JeUKnn4h",
        "wmz3L",
        "MASXmcJua3LUbBKXFn4",
        "cNCCCtWeCR",
        "lCYimNvTfvSj3Ggorx7",
        "hKa8JZGnKGu4n2a0vKk",
        "LgexQD7JNw",
        "~un!Yz",
        "MethodBase",
        "QtFZLxGPzOMtNoM9q0tp",
        "ycAmN5mSuiu1c9lsS4U",
        "oyhbIBXfsU",
        "KqtP7xGlsISFcVI1JGyS",
        "RjA2g8REAPsILiR8Stc",
        "knSRqwYOHH",
        "method_44",
        "CfxoIKG3DY9ntplPa3CU",
        "jf&uO",
        "/*ciNm",
        "sCuR04GR6KqsrSZRblid",
        "V161clGfxtmK3mvhykY6",
        "H29nzTeTrJ",
        "UQUEhjcSyVOuFfjZCV",
        "$9FD93CCF-3280-4391-B3A9-96E1CDE77C8D",
        "toIYRBx9QpwsRjTbsQA",
        "4alE;",
        "ItemCheckEventHandler",
        "PeSDpIFfjw",
        "mnnN2a5FnyyXQLeBv2K",
        "E9\"\"J",
        "vnaNOHrijd",
        "OnMouseLeave",
        "          version=\"6.0.0.0\"",
        "Rd1iCdEQRr",
        "eTvLr0MsgDaiFbY6X8v",
        "Vaycq7GI2VYmmkoOgvGT",
        "ETrQcD59UE",
        "iSeTZyKN",
        "GsO5peGEzK5HhWYBwU0C",
        "add_UnhandledException",
        "JsaxSyNCyv",
        "flice4JqJTOSC62qBNm",
        "C8h57rSdTt",
        "zRwBbVRM5P",
        "ypWr1s1FMVZXXJ7pCGv",
        "yCmNxynb2VFPX9deSjB",
        "KPktFXjFNryhGp2IN8r",
        "UBPsoeGxCMOA1WrEdxSS",
        "=lkEoO",
        "gwXBLNSbL1",
        "PuOu9ePbnPJGr9xX6HO",
        "xS4B02HDWF",
        "set_ImageSize",
        "IServerFileTransfer",
        "gdelegate10_1",
        "Pww9uBsvJJV5L2Ju4xX",
        "V#:LI",
        "GetMethod",
        "OxLbpIJufA",
        "wnby8ySKnDtE8Dd1Iow",
        "^Y0D\\",
        "fHhh8Bd14c7BmJR8KmY",
        "PictureBox1",
        "NAMqqdhEdH",
        "hbOwbpL2Rt2ImsomFS",
        "e6HSrRPX65scqkYKJXt",
        "$$method0x6000020-2",
        "vBHnqxwo3f",
        "Iy4jLvH3fq",
        "qwqEFqqyst2L3VDCDG0",
        "lYlkgD)",
        "wjROeE2a0L",
        "LoadOrderRow",
        "set_DropDownStyle",
        "%pQi\"HM",
        ";)cjB",
        "f3NTNNJVkc60dsi0x4r",
        "e-LH8",
        "H63BF3MlaYVJSHBqqD8",
        "e47qZOl5C1",
        "sKCh4JRuUR",
        "BZVtFQGrisKtZDNgqyRD",
        "x4U5u1uCau",
        ":DO{M",
        "WodiagUo0H",
        "x+XY ",
        "BLm U_",
        "Igj0TKXmff",
        "mK7ivsGVmCEdtxdPXe7Q",
        "oI5X9hsuErP8JvPv4mS",
        "I>JII",
        "d`pa:(c",
        "~Lpy2",
        "b[V5a",
        "Hrb8E0HDhXp3QY168Oe",
        "comboBox_2",
        "*Ti'{B",
        "LllabcGIGPYvaYpj4A2j",
        "dZDh4EeIu7HcWBSd8Cd",
        "Dd6iCp54ZUAmDIkCpuw",
        "muk~2EMT",
        "LTI7ZmVG2nnAhNasBrw",
        "VA@_I",
        "R52X8)",
        "tikZPxApDUJmlQh2o8Z",
        "_CorExeMain",
        "Label",
        "dkG**",
        "mxhlehAHxUGXCsesEyr",
        "/!If{J",
        "kYKYGR2fTM",
        "GDelegate15",
        ",?AMb",
        "7E4|Wo",
        "zoe8OuGeZOEDDerd8pAg",
        "LwLc75X908FEroFfpN2",
        "XUhGuRX2cE6AX1mxpw5",
        "* `a0",
        "}p!:o",
        "CMbAhIGChXagvk2MeEHF",
        "~,iekv\"",
        "oMUddgROvOreVhU961b",
        "}rex_",
        "ERjKXjGYkSmyXa0Z88rl",
        "/z=OL",
        "YUlL7NGhTpUl1AGJroWc",
        "YnRqZEGRIgt3dSufGNka",
        "LwDjH",
        "XU1IFwGhaAY7fcpksbig",
        "UJUMiBGYBfY0ONuOdHy",
        "dMkyiSdB1w",
        "PVc902dO8igS2jTCbjD",
        "{294_",
        "UZMLUfZDOMwjL7h3tWF",
        "ChashcEH1QCoFOpklV7",
        "nQU49WGRdUfq4sY1xh3e",
        "hjRlriwnWX",
        "o1ovzHxo7X",
        "BS6iyqrQnBwtKsRkpMj",
        "RuntimeHelpers",
        "$lgpF",
        "dgYIDnUjwYoBxwbHtkY",
        "jGhOKSGV8CDiPteQCGGe",
        "NQ<Y?",
        "q7YhIfMSEH",
        "l5L5X6tAfj",
        "GDelegate1",
        "iHS7JcHYIeQCnWYSQWU",
        "RestoreToolStripMenuItem",
        "u4dqT14jRo",
        "QQhTUIZbBa",
        "D1ucMqteRXuO9sqdxOV",
        "set_EnableVisualStyles",
        "HFR1D8BxbU",
        "yZsfr",
        "} x7T",
        "Boolean",
        "Qp45KQ9nh7Zv7XjH2QD",
        "pVbBAENA8W",
        "O;OXa",
        "|VXc\"",
        "pKbD6DwCM0F1r7wjTKd",
        "(`B>U",
        "!XRex",
        "ZPg1W",
        "PA5V9sGKkZwcIiFgdTB7",
        "Z#W[x",
        "CZpR9dauXP",
        "g&&$h",
        "X\"XI]",
        "]i]|*w",
        "N6Gre^v\"",
        "oCPBr",
        "A7uApNGYuDAsdB1kdPIO",
        "IXYrOkGGV4GxhHTfLg5r",
        "tmgv5OSy5pnwfjmbakD",
        "V6jiPeGxYRqiR3nDFJSL",
        "d2GQVlGhYuPaQNtWqlo0",
        "l]YP3",
        "cbB?Q",
        "toolStripItemImageRenderEventArgs_0",
        "B3aKHQGLOGLMwW7OmtO",
        "HostData",
        "}1=*E",
        "nJ8CpQ2WUG",
        "ColumnEntry",
        "Rfhn M",
        "Ace5AHIm0k",
        "A\"@'g%",
        "qfpOpr8aSH",
        "x1obkKGghknbaO9Pd6hU",
        "JRVp0FxadAnJwvMXJZh",
        "W80V2JtQkxWxd0G1ngT",
        "#<BY~",
        "iAo7e6",
        "U3vra0G3HosOvGR3coEK",
        "get_LastOperation",
        "SHOpenFolderAndSelectItems",
        "h75r8F2pJb",
        "t6.SN1e",
        "Oq@0T",
        "XNwOanQUL8mFO0aQEqZ",
        "tcYxwEYw6MyrPNqUCup",
        "hjPVSx4Z10YxPjrAYyT",
        "WCoP6TFBShaecaa7UdA",
        "TextureBrush",
        "zd4t6PlagVb8eeb1qBT",
        "fcx965GbkFLmlSGtJMDm",
        "O>cAIH",
        "RRrwu4rS3B",
        "cICCqtavR4V3m0KxP5Q",
        ",MHp!",
        "vWWIRq3M7rma96KCCc2",
        "eYXBT0Uqkl",
        "ToolStripProfessionalRenderer",
        "IWcmMGiRHDcrwYPlA48",
        "remove_Opening",
        "AgFV3KYNRDbALANKx8w",
        "vTqpFLGYSmE1JwXChxDV",
        "BFSppPyK785Qc01WC1I",
        "get_MenuItemBorder",
        "cdpleP7IOyv04BCJmi",
        "y7jqpdQkvl",
        "VLgSuaJdgyqJG1j80wO",
        "SystemIcons",
        "Jj712GHauSQnZEtNNIs",
        "get_State",
        "yhyLLOojsgjPEpPOVWm",
        "dtP68qGhZ8dFiN0TThwH",
        "DPErljGfuXEr6Di7nVPK",
        "xkOH~",
        "columnClickEventArgs_0",
        "get_GrayText",
        "x=b/+",
        "Ysp4hxY2l9nJ0e9moY7",
        "wi8c48q9BGI6kkLXdMf",
        "rcEVqFGKJWEfZVKQbxPO",
        "J1jwxkZbQUPDSWS6LUW",
        "aGLqLSSzm4hQInNqcCY",
        "PpJTNlfEeA",
        "lJk51mmYmp",
        "2?zb:",
        "InR8Cs",
        "ij9vhSGEWpdwrn8ocVRM",
        "ValidateSource",
        "ldqjZKGYKhV5fJlDBp5P",
        "eTTitCGC6RuUEeEkNXjl",
        "=nGsP",
        "eOnBokGCXvF9lXItDKgS",
        "=M6f|S",
        "GiIuRoxy5th9Hwgo7yV",
        "WNPOHswtCOibZUdDRrA",
        "BwTXafo1KFxLFLKkNKc",
        "CQZzs",
        "+ Et}",
        "'sstH",
        "CO4YNE35ncyKKaxgOPs",
        "&k!o~",
        "Ep65MgDY3s1uDopLK91",
        "textBox_2",
        "OxG5]<y",
        "9\\qaj9",
        "RTEFrL8688fPdIJCXar",
        "string_3",
        "DKTeo5G4R1PiD26b53ky",
        "]_QC2",
        "V#P6J",
        "oythqiTRq6",
        "SelectAll",
        "HyNSPx5A5hxk51MpOEO",
        "N\\2$L",
        "_Lambda$__79",
        "get_TimeRemaining",
        "y=)j^ >",
        "9>=PI<",
        "uf5qD2UVuP",
        "ToByte",
        "F{}c\\",
        "Op5I4Iwch6MXDT2UPJH",
        "3dh>c",
        "rUiDdSGYyS2Q0V1heN3I",
        "c1sd2MwWqZr6kyZCNba",
        "zQ>Z?",
        "h6KUJQR4yxfOm6hY5yr",
        "B2OJq0crR2",
        "rgP5K9ccr6jmbilwkqj",
        "C2pXUASDLffM5FfYIMq",
        "sp7ZAXi1pBTdRnYVxJO",
        "w9kQAxGYm02Ys7IXp9OZ",
        "oSh0ZXGPd1H8VpVH6m6V",
        "&CVe\"t(",
        "cd5t>P",
        "SN2HS7GMr9mME5Y5rgc4",
        "Rg1nZg9JNZi0b0Km0mn",
        "vrBuY7GPF8rqIaJEMvP5",
        "VlZnDI28I3JB2GRY0XT",
        "1B62H",
        "vE{{O",
        "QUcCgSqPRg",
        "FileTransferStatus",
        "ColumnWidthChangingEventHandler",
        "s9lbc4e3sH",
        "rVQmKr",
        "Q\"#.]",
        "gclass22_1",
        "get_GetCheckStateCallback",
        "='Se0SE:",
        "gVBg19GLmZvebt35tLdD",
        "OqijmLvXd",
        "kGudUoKHY6VGY0rv2Gc",
        "add_FormClosing",
        "qZU9ZQrmvmun1DmxBZL",
        "ParameterInfo",
        "uXuDFk2WCa",
        "get_White",
        "OQnufSBNd1yE5VEDH6s",
        "fpZOVZ0dVn9JugS46p7",
        ">w+2J",
        "viHuVotkbNcJNKHQOxu",
        "hacKVE8FMjvkYjEXYyP",
        "get_ClickedItem",
        "fGmAO03m8BJRuanY7wv",
        "twF3yE2fHgDBHnZyHq2",
        "bool_9",
        "kFHmch05rEgj6FEE6jC",
        "sphgMLQglCgClUKgfFx",
        "JKfkvkLTc4bHqJW2aZ",
        "YohPPJONZ1o8E8EHotM",
        "EBh7AFGNZnCiOMQ0gWRY",
        "Ih>ANT",
        "BSnmenJEMRg1tFgfMWg",
        "k@W \\",
        "IYWf3f",
        "SocketAsyncEventArgs",
        "gcontrol2_1",
        "RtlZeroMemory",
        "BhRy6FXTJN0uJxSjpjm",
        "4.!(1",
        "0V cUx",
        "lbUwIYiurQ",
        "PutqO0am1oJg5NdZ2Bt",
        "RL;]r",
        "nA2Fe",
        "VYyBFlLQ7ryUfmQK9ir",
        "9%I%e",
        "ajQq0r4AMW",
        "vDcBrh5rXa",
        "G94e.,F",
        "~A_m;",
        "\\_0D\\",
        "_Lambda$__14",
        "*=SK>&",
        "set_CompositingQuality",
        "c3j5xkeeB7",
        "CCaUDwGVBqWor2kulEef",
        "ea1lt6mUJa",
        "eLWbGlJ5YO",
        "soGFg8GE2T4HrpdZncOV",
        "wk0JDk2fDWUIfMO1yd",
        "ProfessionalColorTable",
        "NoRGgSG43yN10SbUEH77",
        "meXCwQ38RlTpy5sxIi0",
        "k1je7eqpc0",
        "TbbtJLdPXeN9qZUJg3K",
        "BCTLfABDjoKR0U8eakk",
        "SvHbRTcwNONAgbbylfS",
        "8V'Ku",
        "nCe4hKGmUyu5LJ8DaP2b",
        "l~G3Wr",
        "HnqLgvGLYFlwR8VZwgte",
        "UlGk9VGZEFJxWcwQlTaD",
        "gYrUwIWBIIrAbGWSTul",
        "UXxXBh2g39MfBg8pgnD",
        "state",
        "E0~1\"hV",
        "Go5rtWQhYuPLjIjKjWh",
        "MBwQHqG8bTIgsWUqwUx3",
        "m_pData",
        "D^U3\\",
        "gOVdE0HbOOK0FqRnXPY",
        "  </compatibility>",
        "rdnMKUGX503Enqo6a0gF",
        "1P*+]",
        "G#{\"A",
        "P330Uv5cH1",
        "AQeUVNGxsh2uaNnymIZ9",
        "CJSymKwhh0m6UQPLn5s",
        "ReadUInt32",
        "get_AllowGrouping",
        "sDdCfNrJXS",
        "c84hDC6QIW1ImRN4q0I",
        "e01qDCGVznosRO6sftNg",
        "tx(71<>",
        "Yj^R9P",
        "iHxmgygoTJEAabP2YSw",
        "=#`@G",
        "@l]]_",
        "A'XE9!",
        "c46McAKR7pWkiJA62Qn",
        "r9Q6bk710MIWDnQBsMP",
        "PostSelected",
        "uke3bDPsZfZfmS5cLID",
        "E-U4E",
        "w8YaC6VBH9JFiuJs4fw",
        "GdGzmUKp",
        "ulSkGqZj83OI0Y9E915",
        "t[>'LMj",
        "(&j{H",
        " C!T!l!y!",
        "avtZsKt7vMVjnkDc46k",
        "SetClientColumnValue",
        "gcontrol1_1",
        "DEuU61GNhTQmhGnLAW25",
        "=uy|\"Z",
        "@j?'z~",
        "bo<\"z",
        "u)\"Jh\"",
        "GetNotifyIcon",
        "TFDiwGVrSqcQmv8xdYS",
        "lQNbmspc8hV4eQe6Fp8",
        "B9ygqNMZXEHOhEGTj6M",
        "CijsrCOjmHqgTOoPCdu",
        "BWwLV3GemKKLGAp9pHk5",
        "get_BuilderSettings",
        "ep'9x",
        "aKEU5",
        "hwtm8rGJwJw5SOFXyHX",
        "8.:7BE@",
        "scO61NZh5O",
        "zQItMlldkBhfHTHhGlt",
        "nAVGU5GRmZDbEMuGOuJA",
        "aPIwTOq3sY",
        "$$method0x6000039-1",
        "G28nD5ExwK",
        "Uk(Q7",
        "WiB])",
        "HkSwahGbZ6xBPPMlcICh",
        "listView_1",
        "e?F#[",
        "Sga5Q7GbNg0yllMPCMDO",
        "daDtv9omrEhLpu15MAn",
        "YLIlHNQ78m",
        "sPk0Mq4mWwLuA7fOdCA",
        "E8wU2o2u51keKcblDDC",
        "RQw5SFcXXP",
        "set_TabStop",
        "ICryalnq9y",
        "iQ4i64lgUBFcELLhig0",
        ":WNTh",
        "ittS7t9tHlnRvMCqC1A",
        "i431y3GyAZHT6Es3OoNn",
        "=*^<)",
        "IE{Xl",
        "SAEAMQ51aNfulM7idYH",
        "System.CodeDom.Compiler",
        "Cb6QIBPFDd",
        "`l2 O_w",
        "`\"xF]aO1",
        "i&2;m",
        "Label31",
        "EehrSfEIy3vShetJIoP",
        "AddTabIcon",
        "fU76fRml4pm1ocoKYEU",
        "oeaW'S",
        "oP1b5oGMX6IJEk6BpCYh",
        "FxcbPShGG",
        "FH1PnxyW7D",
        "HKjfP1GfbF7J0S5idlcb",
        "BybNLYuX1t5PZcgBjFe",
        "\"b~9\\",
        "F1yRFRGYQ5byGI38jeq4",
        "566bd",
        "9|48u",
        "pADV6iG3EWanhrAY7jRT",
        "aB9lHmGN9uVU6ZX7BmwU",
        "H|6j@",
        "V2mPC1XtUveicu4Fq3d",
        "wMq5VsRmxwSCaGW4Li9",
        "foMgHiF7Lavxmiih9pV",
        "xEe1wqGCl1MvoRiy1xk4",
        "#,@^.t",
        "Kwe8GXaprB9ImncJwaS",
        "V1BBd5GNgpvIePXJq8AN",
        "HbjHLYlpdhMl1O4t6JU",
        "AUDm1ZzqJiQfDT14mnG",
        "WebRequest",
        "CZtoFyFZfm38plYH0Xp",
        "set_ContextMenuStrip",
        "fZlYHyGGGYTfuho6JogU",
        "ELPqMHmnEx",
        "(!:PW",
        "IkAErUGVg1lAC11hBX2F",
        "s@(kU",
        "fileTransferDirection_0",
        "LU86Yf0Vh1kBcSAqafG",
        "LE5o14GgQV9VAwdUEg2X",
        "S@C`|",
        "p6DJTIg1oLT9CvtGfbp",
        "jrNPXBGRamWdDYwu4412",
        "mstCIOmy648y1ALCR7",
        "yB2k3rGyU66WENdodYph",
        "t7RvLKPk8yK11MZSZQp",
        "Yp4NSZVC1U",
        "yoNvq6dnWf",
        "jP1LWuIHu2cv9mdMxmu",
        "ziI#r",
        "LjLlyAPKvt",
        "get_Rtf",
        "EinihssTfweZAVsSM98",
        "Es bT",
        "+o\\^L",
        "FVS653KSEjfTVvGWrRI",
        "sUHeMRWrdjECHvNi7M",
        "VhY2D6GISl2i2vA0yPb6",
        "OQ6qrYpN3yVAfZ2TuNE",
        "D6sbqYEhrI",
        "dc5JQhGXpTAJng8Nc2S6",
        "COhXr1UCK8salFYtwNW",
        "YngrO8Q2jLTxiEDA6Cj",
        "pkgiV1vPPHHyskm52xY",
        "KQ\"R6x",
        "rNBYPYgAMk",
        "BVvQvoIOb7",
        "IHL6K",
        "G6nfWbLLtM6ubUEJOwS",
        "oinaSSkAjOLlaDyXv2M",
        "hTPS7LLJDfrYhIGgWEK",
        "zcT7qqDyktNQLLmSb8V",
        "Kz[+[",
        "T5gOh2GkPtMUC6WTubTl",
        "snUHdJhjiNdufTIV46M",
        "vrVOKQq0KXjWrrIhZFN",
        "gstruct2_0",
        "Y^]$b",
        "i|L-/g",
        "IrU9ANKPCyPnwCREFLC",
        "H_<]H",
        "Invoke",
        "a6S6ttGglLct1LkGnb4Q",
        "int_0",
        "RSBFEXGNQcAyDXRMasu",
        ";V?;9",
        "KIJK9emCZ5MWtZJxq23",
        "kOIR9BG4c2rLjlNNwiCX",
        "qvlt8uG8jirnTm6mcNvH",
        "PT?o^",
        "set_AllowAutoRedirect",
        "<ex@Hc",
        "{M#;J",
        "TBVLCIlbyGvKGK2VYIL",
        "V4OMiiJoyW6YLZ3RguW",
        "iclient_1",
        "[C0.<'->^",
        "nrF6MP80npMcj5gyYvh",
        "O240jSSmrX",
        "v9uxnEHfhXPLgB8EfjS",
        "HcF19UEuCN17ZZ1RnOe",
        "VpQkkt1xG4rFQIcJjfe",
        "hxslcp26sI2WF3ZJ0jS",
        "@C]S*",
        "mLRt2mhRhgQ7XjE30H5",
        "mN0VsY9TZ7FP6Vr3egM",
        "xmUYkWqDmp7JLBY5dPJ",
        "HqPicCCSlR",
        "YOe0TfGVlwgDg7S2wlmK",
        "GClass33",
        "I9R12oWz9BqHdOi3lXJ",
        "FaRiBAGMCV8ELbqse9g7",
        "SimpleGraph1",
        "jD`d%",
        "get_Color",
        "RICMcirZhrByvFo4QSw",
        "Label16",
        "8me:@",
        "h8ZPYKXc4WanYOgBNbd",
        "Va7xoZwprM",
        "SYng5hgWqLLY3jP76Cd",
        "VCvRivjfMGnid5i5yeP",
        "xM.|&",
        "Tfl1cjqTVGJce2dmDXf",
        "sL0C3Bvqw0X6T2UZrbb",
        "GetEnumerator",
        "Y2nvoGkV7bHDjhCXJEw",
        "mUbxOyMm7K",
        "nXsvtGj1wXgeiljf0Y8",
        "yCQQngGGTJb31tB6XVQx",
        "drfwzwiiP4",
        "UFShzwXHTF",
        "SendMessage_1",
        "set_UseMnemonic",
        ";S=YJ",
        "|qS{J",
        "*5 |_45x",
        "mpVxwZGV2NOw9ROTkDFM",
        "_wHEc",
        "J9SJHJ6n9CJx5GtjK3m",
        "N+=g7",
        ">C!d&f",
        "get_ServerSettings",
        "Fvy9GXXec4rCv8o7nuX",
        "idoe1nGZe7eVJAJDfPep",
        "RaCA1Clmye",
        "vlVAMqWI4fOPbxsPUIR",
        "6];[i",
        "cSZ2iy41GagJ0KAKlcO",
        "CRmZHirKcM83cLBvNdc",
        "jk8vILTCNG",
        "1vZB!",
        "JDo5rZ5whj",
        "iD|ft$2",
        "CS0NyHG3MRO70IC13Lso",
        "--QG+",
        "~^j{-N",
        "cEegSpV2Cl4nLL8Qkto",
        "s2QTVkhxRb",
        "$Ws-6W!",
        "#Pq5]",
        "puvxZXtLjS",
        "kernel32.dll",
        "GFAf5BK8YuZY11gsV6r",
        "kayqGdpt3e",
        "8t2G&",
        "Q<sYt",
        "get_SelectionStart",
        "XD1Crj5Rgsqqi5awUjL",
        "get_Cancel",
        "cuIEH2iTZMFgBTPFSbJ",
        "mKOh3umWKe",
        "%0nk}",
        "GXU8fPA0I1x1pOwW3DQ",
        "ISsFU7Gnvsay3ukj5DGn",
        "3 (#1",
        "iofGnLY501VxOuvHBec",
        "N06fATADq7",
        "*HTCn",
        "LCAOZO8b6QwjlJxMLLq",
        "(%iN<",
        "UMNkJLEGFBgesG5jmYv",
        "Ectt6yGMTiDbcQIyVD3l",
        "V52eebbxHF",
        "C8YjcSJprLkpjG0Gvp1",
        "VC5inZ2j4SryBY8qof",
        "l1UuZUOcxCajThUsgtD",
        "vMtDn7EXGq",
        "hwsHkwbMjqCM34gBWjO",
        "o4mxgxvLKQ",
        "GPBxPeWYwf",
        "5<a#{",
        "GTEQDTwwwhOnlGuahnF",
        "DIVxKoSVPU6ORliATf2",
        "\\WOz)",
        "sLjTndcHVo",
        "Lto8YWqifKeqYAKpsA4",
        "$,53'",
        "P3\"/\\D",
        "XmlAttributeCollection",
        "?jY(M",
        "9;4Mb",
        "HFVbYpkXbRNYRfMEH4i",
        "SystemBrushes",
        "H8mGinwuqyFYEFOKt4a",
        "TOiUYl6bLl9igyS1j8S",
        "OAXq1fUxS1",
        "]EK#D",
        "set_Anchor",
        "*kj6ZHF",
        "eIh2a0jBtIDGQpd0D0S",
        "add_SizeChanged",
        "s45em3GSr",
        "EmG_s",
        "{y\\Po",
        "(4'c;V",
        "ImageAttributes",
        "0WZjR",
        "iR5Z4DGG4enZWHxQVe6v",
        "R40XvbGLueOaZyV6tZLc",
        "OQnnbW9LEAbn1bK0pu1",
        "NMck4WGPLcYPa7uu24Dt",
        "NvLChiiDG5",
        "+/E##",
        "YuMVD5vbXHjpYX7nBsv",
        "ZPj|'==5",
        "set_CurrentDirectory",
        "zbByhf1N3f",
        "tyHu1lvhZyo8dd5RNVL",
        "-s'PF",
        "WERG8Sxqwd8JBdDLuwp",
        "Vp![NZ",
        "n1RQ0Nd2xV",
        "JPE0F",
        "vq!`dM",
        "h$zT[R",
        "VX1yVwG3gfJC8DryFi3t",
        "YNtwMA34kN3xtqPFH6S",
        "W5xnZIAIqiejUIh689m",
        "gC8ZSSbSc",
        "X5NWGIr1nJOGtLtZLLR",
        "KoTrmgs43mYGvtNf08D",
        "MZkUc9",
        "HEGJpyEVN1BQIsfnCkO",
        "set_Enabled",
        "_Lambda$__52",
        "osu.5",
        "gVmoBZIoDp",
        "IskysEGwldqQuPjehur9",
        "set_AllowColumnReorder",
        "PuDBMJBEtG",
        "Vc1SAH7Wgv",
        "l\"m9^",
        "vuDv5",
        "TuLClmj80A",
        "?B,nN",
        "Screen",
        "FormBorderStyle",
        ";@Z{iP",
        "OXXMdad5QPnyy0HLtme",
        ",)7G n",
        "sBQmZhGPfW6PLNHXTmqE",
        "VvwYLvuGSD",
        "rMOZmbc83I2tlTCilJs",
        "_3Tr(",
        "FoPEFUWfyPS92yTcUUX",
        "d6'0`",
        "ksjyAQHnGB",
        "t2Mg4SG4xW70A45BprVq",
        "get_Right",
        "I51k2uK9aWVxn5uN5oH",
        "n71hxrxBMfxE954bPGy",
        "ra6JuYt4IwkYMyCHdxv",
        "method_11",
        "\\Ls24\"",
        "npd1p9GgeTMa4XrNSa41",
        "FileVersion",
        "u7ur4m4UVDk4qVeEurJ",
        "lYgms2dpYdHmYE5g2Hq",
        "TsbAQhGe24XpH8ayLyGP",
        "lPYo5cvjwWaInIFvCNm",
        "method_51",
        "B.j%gW",
        "=8ZC':\"",
        "zFtOBj4lvbx9ksNoZyI",
        "nVtymtGVLCYxybNGwYic",
        "vjZyuOTbRQCmi2D0vwn",
        "x6X7MrG4Zqbs76nwLAwl",
        "uJQwkpI0VH",
        "dvE`x",
        "jZ~zA",
        "Cl5eAsGRGVW5sdB5itxu",
        "vuqj0qqf5xsWQxNNiCO",
        ":@lt9",
        "e-c3d6sW",
        "KY7A3bGGeGsK2k2IhjuH",
        "kBedj22GBD",
        "f[j_|",
        "Y\\Totn",
        "ScrollBars",
        "uPnnaHFcvY",
        "aMtyDtfKXd4EQU93a78",
        "et}Vs",
        "YFCjnpBG35dsdKHN4l2",
        "uAvvrVUrF4MOUHjWTKY",
        "dSYl0iHzkjjRCHagPtx",
        "uJUnBkGwHmOEDMPc1NDy",
        "rUMtsTt9xpHu4a8heDG",
        "tPN5U3Kktf",
        "_Lambda$__64",
        "KTl9yIvuvvVkq0kbdji",
        "!^DuN",
        "riV%}",
        "J[[yv",
        "MVYw6uGAeWhAf9UF4qye",
        "e0EQ3ErEy",
        "LIWOlotV98lYGOVoBi1",
        "GNAoeOBUn",
        "sXJikAKGlX",
        "D1(M/",
        "JQDHHuGREGXm9dmA3DZ4",
        "InvalidDataException",
        "OnMouseUp",
        "GDUwMWeHbMwEaMZtNTr",
        "set_Visible",
        "AwgSFKDna9",
        "add_DragDrop",
        "9  x<3>",
        "CI8xORNm93pqMk8R73v",
        "saESuSLF5Vsh72fiwSr",
        "GbtyPiQ1RARNCWXxsPj",
        "dISePYA6SQ",
        "ajTyM1CIH8",
        "UwQV09hmc4EdEkp6hfD",
        "get_SetupPhase",
        "}w!a}iQ",
        "VPuP,",
        "eAONLl3U7Y",
        "3b+h}&",
        "DdjZyvlg9a4FXub4v1",
        "nFn2wcaSLBm8otu9vT9",
        "mv6IUAv0j2WC3FRk2Bo",
        "Qu xra",
        "      <!-- If your application is designed to work with Windows 8, uncomment the following supportedOS node-->",
        "IServerLoggingHost",
        "g8KWo5bHI5B1tXRqdL5",
        "nHX<^",
        "qWbkoaSowjyxhBbwNDI",
        "N4W7yRGPHc489vMvqjVB",
        "Jj([A",
        "get_ClientFileName",
        "UUnSwkK7Jpr19mwqEP",
        "sskxbUDC9p",
        "get_ColumnIndex",
        "jAsxATsuga",
        "rm%f~&",
        "o8e8AsGwGny6BCF0xqFv",
        "IryvPeTtEn",
        "SG.[h",
        "x@og7",
        "tUcCRAN4MvSXE5sOkwd",
        "y3gLc8IUhuvDFsqEy4g",
        "get_Warning",
        "y4gSjwlvex",
        "8t+Hq",
        "caeiBQUKU0kcV70elZR",
        "get_BackColor",
        "Te0Q/6",
        "IServerNetwork",
        "ASOkBKxfSrdF8ZYT7cG",
        "GxOukHGg2y9WPnyNHFxL",
        "_bM0f",
        "SnITC62P93",
        "FAA4ZJnOpYnOMsJL7qJ",
        "y8Pq9MgkYV",
        "a3h'?1",
        "A2PDx1hUc5x5ylWCnRR",
        "WXgevFrYAH",
        "P79od34K8J",
        "OM7ZSAfguwE39xR8xa2",
        "xkOEe2GKH7CdYFgs5ebJ",
        "GKeSEUGlOrSnfBVExnSd",
        "OCWo2UGL6ml1uonwhu2y",
        "QOGRJx8OAo7Bor3PTsN",
        "lqMc9ZGPI6WLLLPQqoCy",
        "UgsZ9SGRgmtLCe4RD0vZ",
        "GSClDZquXnsNI7WLVq3",
        "zKUPMZaFn3UYOaWRr1r",
        "0':D?P(OfW",
        "SymmetricAlgorithm",
        "y2eC1dlNB0",
        "yaVQNTGVSREgoBxcEnTl",
        "s3JGHZytGCkmcTQBAlv",
        "rJDMbxv16yPiYFcnShX",
        "q_MzU",
        "dctenmbsKm",
        "sEgBApGrJaLWmipwLbnr",
        "jT0y6RHig8KgtvmVFKh",
        "NoticeButton1",
        "ImageList2",
        "[F5S.",
        "nYCk1pjO0aJRSMMDVhu",
        "HUKqHLGgrAn0qc5ICRgg",
        "f-CEOKhX",
        "'MKFP@",
        "eKQDwgvtw8",
        "dzTW%",
        "jTA>`",
        "Ja9foxqtX",
        "CGdqBIGwSexRiwainkMw",
        "a(a*U",
        "N5JOC5fyOF",
        "?qI}E",
        "EventHandler`1",
        "g/4`C",
        "get_VerticalScrollBarThumbHeight",
        "nNEsV",
        "IH0itghNpiTfbZuwjG.9Ef3p7T2phSLlhNo0k",
        "ycMJwJK5Ze",
        "cNe64ud4Sy",
        "wCV7cvBo1AvnsBrCq9D",
        "r;G4j4`",
        "UnVRXHvM2V",
        "1D.tp",
        "dEt7am8UGfLbqAMPxqt",
        "cancelEventArgs_0",
        "hPBYorGIcie6sVA80lUE",
        "k3Id8cGAvJ9dQypw4m6g",
        "set_ShutdownStyle",
        "oS73ArKyGgM7xE1ctE8",
        "6CS*-",
        "FjG4TeSmCmlIh0KFjS9",
        "NtlVY1IpoIhasB0Fwq",
        "Z9:y1.",
        "ToolStripItemClickedEventArgs",
        "jmvFeJiZdxaA0aE3JY0",
        "*YRF1",
        "gv5jzc1Mte",
        "ncsC7Se0Vqvq5t8CYSe",
        "set_Alignment",
        "uZ@go",
        "xZ4vlcZpQy9RHgXtpC",
        "_Lambda$__50",
        "Si2dqpfPm7",
        "qibdKZGesyEBg6bARskh",
        "cRE3VvlZxDr6bRWnAP5",
        "cIuq7fSQXuDdb9Z6mUO",
        "OWx8yKnes6Pt4JAlWZK",
        "Ql35Fdw5GB",
        "Vr6nsuGPMoxtUnBIJWq8",
        "1iMqQA",
        "KeepAlive",
        "PortRow",
        "AZplrPMbhtRk300a9FI",
        "DXmPYdGLUtf44Q2em8JT",
        "8*QLW",
        "KiK3VumTE2Mq3VPYcH6",
        "OHFwtbGPO7HfijrIf1bG",
        "PM%3?#",
        "System.Net.Security",
        "uS90uAGRiyJ1n17X89rk",
        "Ub2D.",
        "tYylpqcvSh",
        "yYunsVGIkTy6x93xau2K",
        "ufl10M6WPbe3SpACwcp",
        "UGKdbkaKOQ",
        "XXyNz8xGSv",
        "Y\"sIw",
        "m7wPVSf1MKlR1S8SwBk",
        "KHhQayltSMfjwmlT1oO",
        "Yo4lZ1s8WO",
        "JdyrI3yF75FD96bnmxs",
        "ReadIntPtr",
        "BetterRichTextBox3",
        "^4SZpb",
        "EscapeSQLQuery",
        "O4ZeEsYiwE18hUxoniQ",
        "BQGJ5hdVmZ",
        "8hZ_x1=",
        "TextWriter",
        "ih9uOfOMGtjR7l5CTgX",
        "iOsP8dHEODY31dq1EJ",
        "WkQFIp1v9XC5KaaquOY",
        "get_Address",
        "StructureToPtr",
        "YtGOVuV8w8vBGAcs7OX",
        "UDeFyTGnGrJCyeLoDgSK",
        "uo4D6sQb9i8MdRZF9tQ",
        "fYvMtpGfof2vTwW1hPs0",
        "uS7qEb8ftj",
        "SelectedIndexChanged",
        "+kP^,]N",
        "+JI)3",
        "?ZZTJV,",
        "TAQeuQDkEaiwWZ6XAHI",
        "ydjG)",
        "OTv9QTjP7DTs4Tk7D0J",
        "jUOlfqUEOF",
        "T2JXvLGEUIiBMb8tMPpN",
        "Label14",
        "nf0w9",
        "`DLM!=Q(",
        ">x[%Be",
        "l7QJ3r2G0YpMIV6ovP1",
        "DateTime",
        "FBwCDWmxnJsMK6ZgtV6",
        "u{]jr",
        "iqrKteBxAlvS9SgUbHd",
        "F8xHeJSuRUC3WpaSShg",
        "lFHCw2o90b",
        "xJb1KZGZLfCPviLEHU8W",
        "=YC:4",
        "dOXD5BG3YLjboiTP4qPO",
        "V6lqZ0wOlprS3YLUxkn",
        "xG?FNH",
        "string_0",
        "O=%q<v6",
        ">x1G|",
        "JFrAffhkNaG3XBHk9Jm",
        "Fdd]:",
        "eFCepDlqas",
        "u4Rqv0JYxV",
        "tGhBDd9jop",
        "_Lambda$__75",
        "ePN6~",
        "aRwn5yOdF4",
        "0!qtx",
        "Thread",
        "BNSe5iGkmdOwvF3P062P",
        "0\\cp>",
        "UlfBh2VSn2fVBRDrwVP",
        "9G)%8",
        "m~Rl91",
        "OO8G2P30AurIWpCrA6j",
        "KsPqpAtumMuyuLfCAX",
        "GetAddressBytes",
        "cHp9Cxq4MGEUoK2Okyv",
        "VUWHFqpeo",
        "pp{gk",
        "int_9",
        "P8OaYFHCWxfCfWF5tD5",
        "zHRq9mpyGA",
        "Rt;6O",
        "Rud072UFe6Wg7CsBQCT",
        "u0mjZ1CBkq",
        "fMLQ5WGgkZZUsaU7VJ4r",
        "aDwjqpze4Yu8XPetRkC",
        "Tt8CdvGNG5TmqEDb01Q2",
        "Qc8NfBocTZXdIpHEhlN",
        "IitTkDqr2u",
        ":[D*6.",
        "cd3q1sIvOf",
        "Mh3WWf8C2vToulJDvSi",
        "get_CurrentThread",
        "w/\"%lG",
        "IoxiuJE3mpBwwRF4Pc2",
        "GBDe4rWZi6jF1hVZ2Og",
        "F21yM4zoG6oktIhcyU1",
        "UamT5vGZ3YBBlMkixVTC",
        "/a-H$b2",
        "JXbDehZ5wcoiroFV69Y",
        "Fqu1hnGYh47aFapB9g42",
        "xHC1LLOlVL",
        ".kK(4",
        "[\"cxsl",
        "OccbgtGfldA6Kdq7Fnc",
        "({\"S)",
        "iehY[",
        "ushort_0",
        "74:zB",
        "FlagsAttribute",
        "ctq4afGMsHGMFNjB4ZHx",
        "KEhQJCKMW8FvWb39AOi",
        "6TnK\\",
        "GDelegate11",
        "GetDataPresent",
        "^Rut'",
        "GetBytes",
        "hIMo8vwU1ebl4UA0wAN",
        "LIlBRSJPRJvRqDb0oME",
        "y0cfiEGKiRYXod2WvZpW",
        "^_^<d",
        "wXyj9QhKlcQmqS0l6ff",
        "SBsw1n52oX",
        "GetFolderPath",
        "KodqmrGZmWOy9LXQ5E68",
        "SetupForm",
        "TK4IH\\Z",
        "_Bugb",
        "hryPDDdhbdArsJoIBvj",
        "NumericUpDown1",
        "zY1DTGkEI8vVcVWRSvx",
        "lTNrQDBQ2r8GUfpIPZi",
        "XJupLa9Qy9A7tSjgZBt",
        "EventArgs",
        "CdLMBVGyDPb4tabEu9P7",
        "WrlDlG7t3M",
        "M8J9h7vOQqoJ6PqY7Wu",
        "\"]eXM",
        "%zRvyPV",
        "\\Q*-'",
        "SlXIueYlTvUGI6dmTqI",
        "ivTxtNfNi1",
        "qbX02GXxQDtaiG3WZjg",
        "IVEH2K6Bd51Axvg6eFa",
        "z1uY7nKaxnaeUNS2FUn",
        "X6dTGekmp30eA7VYGwp",
        "PUxkfy7L2CUymF6kEZP",
        "~k6i(",
        "BPdLdMhV4GvILu5ntLs",
        "FileMode",
        "kEC^B@E",
        "KGJTPehXCm",
        "3ws8:",
        "qQJEfe8kqJ4XmMS0XRn",
        "get_ForeColor",
        "k\\^{GC",
        "t/1zx",
        "/btks",
        "GmAexTW4y9tGfWtPOUV",
        "HDKKl1GrsmEt3OOUYVEb",
        "CTZRF7fpYpZaddqSWmE",
        "@C_;y",
        "GjjJwYGMmjvWXLq8BQLP",
        "V75JsPxZp9wDWXMWY8l",
        "v0j3wjUwHcrjPYc6Gt7",
        "hJvT1PMPVp",
        "obhJzYvKLb",
        "corO5AaCWP9AFBl1JuX",
        "+'1u^l.",
        "B9OEZS2JQeJPwXuMN2B",
        "WQg1KPnaa2",
        "Zb:*L",
        "get_TabPages",
        "jU2S0uSvuCfDyKqD4pN",
        "GClass24",
        "JJag5",
        "@O#/p",
        "T877xSEnOJ6jEj40odo",
        "RaoA4Tzwg7Akr977AL4",
        "svAfeBXoFedfJuOSay9",
        "VjaI9tGxgjuBao78l2Xp",
        "method_2",
        "PbAPVFnuTiW8dQyR0IT",
        "t1BRJTNcS328MDXeE7A",
        "U8RaLwTRIXwZxFXpWUg",
        "get_MethodHandle",
        "aAnemjGCglw0QNoUoTw1",
        "CeLd67itUrPPlQTSBld",
        "fqNVhtUmNBnH8ehrxfO",
        "c4YUmY1Co1eqIBHWM93",
        "30Hr;W",
        "XTHy5gt87tDaF1ZMW0D",
        "C]*8So",
        "aekZkmsG5DkggfW4wBQ",
        "L3o867GqrFgpkEqDFRk",
        "j5GaEuzN1ASE0eW1KD4",
        "HvSRdQaZuX",
        "u5plJFGyjO4bYNJIxg9U",
        "U6RsIVGx2rAOyWhoU0JN",
        "sCF55wXcLq",
        "OLuemxTc82F3H2Rt430",
        "dDj8gIisF8dcj4xtdvh",
        "Ma8iZl65M0EIl4wIanN",
        "1,-HE",
        "fnm8lGjq2NX2b0aEqRp",
        "76EDNMQPVUWUXU\\[][^[_[bacafegeheierqzy",
        "gl2AwW1eprsJyFTGxi7",
        "SEBRYIUeII",
        "v5W8Zy2t3F22Gys0Cj5",
        "SolidBrush",
        "_Lambda$__80",
        "MOYTTZudOgp8EBgpliT",
        "oakxeea3jEtlvV5Pxhw",
        "riwcAkkW3TJIlc82Q4w",
        "gA3Nfm00bGP6uDxRel0",
        "qan;j",
        "Gb7o`",
        "NameText",
        "F1q8ta",
        "__StaticArrayInitTypeSize=256",
        "rKQjGSiAQTQY8EIWtYe",
        "ExitProcess",
        "DQnbtoZqjl",
        "UJiERyGV0Rb2TooMaXe8",
        "(Ofl>",
        "Label17",
        "Lf(nl",
        "CivWTLGm1daf5gK1RrvI",
        "IeLhRFGKXCRu2sg428W7",
        "m2942ZQlOx3wxEr02Jd",
        "lZsYCHdVG8c52xS8wV2",
        "iGH36YDRvGkq55FjOAP",
        "HdGigaGXeKpsvhNMcFY8",
        "W|D5\"",
        "6~JE>d",
        "K5fstPGNVhGivOye625X",
        "hnytmrGbxU46a5QRnkjv",
        "i5-*0",
        "aAKoFTIBUv3T6W7tfPs",
        "_Lambda$__84",
        "Cen8w0GrXbFGKftFjCjH",
        "t3Xqkfdir3ulRM1Dc5",
        "e*e7k",
        "ncU&H",
        "bool_1",
        "Hau1FjfFLh",
        "R52hX",
        "G2dlAeeLtw47R2NKxEi",
        "RdyyKsNN5Q",
        "LnltGrqvgEIB97ZkauG",
        "get_CheckOnClick",
        "Lq0ilGl1kCv1ZruuahI",
        "MDKCH",
        "I5dphwRhbh3ZBpPrF5t",
        "BQL26tGPqjBiPCctci9m",
        "QFO0yAcgo1",
        "zBbmIZviN57eT9InZad",
        "Ta41b0GE9C54UmsujjE9",
        "$,jxY",
        "Xl1qA4AXs4GWHcKbou",
        "Ox9TeUGgLdkhhWP3wxMO",
        "get_RemoteEndPoint",
        "ArLSbLG4X4ZJQjvclEe0",
        "ToolStripSeparator4",
        "gdelegate8_1",
        "manfkDGGdZXwR27G6e9o",
        "C)ktC",
        "int_12",
        "AgbDHj6J8o",
        "cVj7pJ1hubJZVvt59hn",
        "OtZyXC7MD7",
        "NumericUpDown7",
        "Kn*JK",
        "g!%D9",
        "zoo6SZGCrofeKF94XIoT",
        "xvrSSpNq1PuLYAcEZLF",
        "GetTempPath",
        "THQu5rGgIK2Ouy3OeRSp",
        "DnHQhXGIILlb7gO6uRW7",
        "OpenFileDialog",
        "zgsIgnGEi5xnePYKqQoN",
        "nTjUfbGPD0S31kweHLGW",
        "KDHv3oz5oST7bksBpun",
        "lT7~R",
        "WWWRdrn2GDq3y2sHYaf",
        "MMCmgaGGoJ3KyCsHb87m",
        "pkLcN40mfrq6DukUZ5P",
        "YjobHxxV1H7Ir66Qk2A",
        "BuGosLLwOxyKSOpoIg4",
        "H5mxrFGL0ZpeFCjoKS3I",
        "h04J7I91WG",
        "CvN13bGVNHh09Wd0EMqV",
        "VxlhdkGhRQADTtTQ8PLl",
        "font_0",
        "LogBuilderException",
        "AmWNrChprhSwoyQmv2y",
        ":AW[ ;L!*",
        "op_Addition",
        "VGvq3qEog32dMpY17IT",
        "TableLayoutControlCollection",
        "reaQEEGnWuVNGO4DTUuk",
        "{oY2.",
        "IComparer",
        "ik1:}>g",
        "-As@}",
        "q#d#Y",
        "T1z*F",
        "method_49",
        "ProjectData",
        "gHVdVmZpj1",
        "Wi]l5",
        "1n$pn",
        "piK0wbGPV0m8aLJCPhEp",
        "hMhUMXbFpGyyO1Lk3eP",
        "hBvT1MVtq9v0Yn2o9mJ",
        "HQqXeMGkIXY7xZNNEAKK",
        "@6/5X0",
        "CheckBox7",
        "pQRdo4Gw7nVqpLq5rU01",
        "xcS3JH6RoJPrJMW5whj",
        "LISGxB2kmvCIapOOfv2",
        "ApplicationSettingsBase",
        "MVV8bLGbYonY4G3PSPY5",
        "TvO>C",
        "AHPBSqGmtvYmnW428qyj",
        "KQfqAV2NP1",
        "sUToWMIzwqKnoEBgOHK",
        "#Oih[",
        "get_TextLength",
        "y8yIrPn3nk18V2UqoCi",
        "method_19",
        "dfrl3ZGAqYB8fQEwBbTm",
        "pxP82jXjvF31Hl97N3f",
        "_Lambda$__48",
        "sLShKNM7HE",
        "}(q'|v",
        "MyNyxTGAsGSog818sPaF",
        "yX[Wd",
        "UiPZtk3G4kFsAlQn4x2",
        "CfmvtfGEhiLBetvMjwbs",
        "get_Listeners",
        "Bbre2tUN0oOmTgIegE1",
        "cwg0noJBULvMUyuni9S",
        "(]JJV",
        "CjcNRq6vTXmEg0micgE",
        "a\"WPV",
        "OhLA7xZNXk",
        "UNJgmHtDFpkSMwQKmbf",
        "KA3sDDG8HYuvIu2iguwW",
        "k9Qswi5mQihnEM2mfst",
        "~VcaD",
        "((=3e",
        "!W/\\-",
        "dbmHiH",
        "fRo3QOSAfKJkQafiTb9",
        "GetType",
        "uY8xqVtf23ZjGhKcOie",
        "`WqaaB",
        "T{b9/S",
        "C50rpLbrxr",
        "aaDkN4sWktpvOxwnKUX",
        "fgMg38dD0a614l1gaIv",
        "\"YzSx",
        "q1TURhGgHRp5XHtOvisW",
        "KLCw47GN4rDp7qAKJM2G",
        "!P<Eb",
        "eT5KpFlDnyVtO0RADK",
        "System.Globalization",
        "`kZiL",
        "SizeType",
        "short_1",
        "AchqKHCJqX",
        "FeedbackFormControl",
        "QwkuaXGlC0fg0QJAQOuK",
        "pvydsNGMwxdkhlMqNVAp",
        ":aRw\"",
        "ToolStripRenderer",
        "\"uO/U;",
        "hx8GV19efPvkpiqofyy",
        "UVAfOo5sMM",
        "dmeOXfGtDpUsgLkfNWl",
        "lFjhxKnJQM6cEViRkIj",
        "lWL8ntDcQl5F0dAGZtt",
        "UF6NsH4PTT",
        "gkfHiJGPAyop7vasbQMk",
        "0\\/;P",
        "KeyValuePair`2",
        "}(v=+",
        "T7jaJrGr6eoTGl2i8hcT",
        "g8k9w8G8qBeAwGL4LrAe",
        "gclass35_0",
        "oNo0bivTK9",
        "DqN1zHDn9j",
        "ushort_1",
        "JKjymBqeFm",
        "K1YiAZGev4gLfSZPRhXI",
        "3W&eZ",
        "iB6MZ2GM7LjFyDleNDj2",
        "C4BRtWdz1pwpJYlLJNn",
        "$pa]x",
        "GDelegate13",
        "PointF",
        "WungjQGrQssyJ33gOnfZ",
        "rKjvjasH9NMxxOfg8F7",
        "remove_LinkClicked",
        "Dv4BiJGlQucCage01SaL",
        "jkGqeEGyMggwqWw0NHST",
        "R&^,Vn",
        "jMKFvhnYXetKyWPlypV",
        "Fx6xt8GoDwVJZeNlvsx",
        "eDoSshGVsl9vuntuFTdV",
        "swOZborGHs7rLAYIu1T",
        "~Xy@8*>{ 6",
        "H9lpNKVkemHvksSosia",
        "UHFR2HUDTy",
        "mHwZaXYFJp5iY034i5j",
        "fVcM1E0nUTDN3ASETI",
        "TR6M18G3ZBynjiqxaDsI",
        "doMh0Xr4fuGUbfJomkr",
        "aXg2EfDEAMIsAFcVWwb",
        "ivJ^RB}w",
        "uPoRAHWNer",
        "ImageLayout",
        "H&w@-",
        "IServerNameObjectCollection",
        "=)sF3",
        ">8`3B",
        "kdZe:",
        "CancelEventHandler",
        "J4'xy",
        "MeX6joeM7IClQ9fCkDC",
        "sFYT74GLIceiTpIRbKrE",
        ";R9Hf",
        "MgvxrEZXvh",
        "NnBOk9PMA9",
        "^e?kJ",
        "BWKAspn36E",
        ".F<]U",
        "mfYbhZGy9LCl7p98EOax",
        "GSe3Wk2CfaSZFMuuMos",
        "lueF*eIJ",
        "uVBEbOi7EQ4Mo8RsttZ",
        "URY5wHfKfH",
        "IVWvHuGEsf5OUuiNDM2C",
        "wzTqs",
        "InterfaceTypeAttribute",
        "tPnrrujXao",
        "RxIq0b5llCtB4Afqimd",
        "GPa7mUGgXuBA0atGry3I",
        "^z^{x",
        "ocHInVsLPg2gDmGLIQd",
        "&Gq:(",
        "ThreadPool",
        "f'(p:4",
        "Control",
        "YS5fOniEwAJHoiUungT",
        "N)[hZy",
        "kwChpCSRSk",
        "O;sQ/4",
        "zskDCsrcF01Qim0qUus",
        "w3Ccophvq616lHMyNyh",
        "FQdYF1ttwDpFI1xMWl0",
        "Y3tjo7Nsd4yf5c7Ekwk",
        "KuDH5nMyqbhrR289yB7",
        "eDQF67T1qXQjwesjP9a",
        "[\\!_ebR",
        "O6PKaozZoZrJ3VnQGyI",
        "q|MvId+",
        ".bx|m8",
        "2Vj<u",
        "iR4bL3EraFuDbcAegqA",
        "AaZJkXGESV1ZpF5R5EM7",
        "KagrtHGeOc2Odyda0kAW",
        ";iOJ|",
        "_Lambda$__76",
        "<Beivra-",
        "dfi,<y",
        "toolTip_1",
        "uSAYaK6HLE",
        "(;.p,",
        "gcontrol0_2",
        "TabPage6",
        "KKKN0qGyEapEULF8NSXh",
        "NX9dE5njlD",
        "If40VH7GRdTgEAxhmK",
        "QEGd0u6b01",
        "|Jr;~",
        "Width",
        "hYZ8oxGPR0FJ2x2dKnVT",
        "H *nXh",
        "]fKF~",
        "CH7O1bvlOP",
        ",bpB*",
        "+ltdB",
        "aZkJ38KmbIPtWl8FaJF",
        "j7UdU9SZM8",
        "TextBox",
        "TabSizeMode",
        "GtG9VTGfsoSNPQsRuwU9",
        "fyY1tS90tE",
        "dd3mpOpID7PxxVdnOg0",
        "Z@^NS",
        "iRA{dB",
        "#Q\"jv",
        "ColumnStyle",
        "a4vTbvjGOSgOWLXm6v8",
        "BkC1QU3Df4qSX9fPXKK",
        "uZFEJLGnwD33OQE6Ro9h",
        "FC0NHGhxDV",
        ">RX|)7Iv",
        "J<(!?C:k",
        "get_ManifestModule",
        "oclRlQGtyRgbxkBxcoA",
        "BorderStyle",
        "dKr;G",
        "w/br/Z",
        "AapjhVV0OGB13gYCuDf",
        "iLYiFjMSaE",
        "GetProcAddress",
        "ax.5h",
        "jrutWdiWeBPSfve3Et6",
        "]_|8g",
        "TrialStatusWidget",
        "uZCDzNjwGq",
        "S-ri}",
        "xx7dURGIJ8jFaZ2nNiWW",
        "wpBNTalEYis5EPrBwj2",
        "X5TTYkGK7L6mxAc8X9K8",
        "g  Bu",
        "t^ED7",
        "cGWo8s1Be8",
        "ItuOLMGIDgGujihc3Tjx",
        "TextBox3",
        "W_$u5",
        "iEeQPqWkEs77pWS4o9v",
        "ColumnRow",
        "*g,n,z,",
        "GLg2BPeceFyH8kWdxIc",
        "K1u'F",
        "m27sPjMtaHe8kUTRPtx",
        "jMOd6HouxU",
        "HYv5g4Gmx1lb8W6UDqRN",
        "wb/if<",
        "wO<p%",
        "dDJO7EhTWu",
        "j.v``",
        "!dKH>",
        "yJpe$",
        "_Lambda$__87",
        "3oVF #",
        "sV3O7gzcUNQ8rjbqkfW",
        "YZQUhPG1iKvMOJ9gRXA",
        "L2Tn~P9H",
        "H26VUxG352NDMvQo8p81",
        "+{)^I",
        "get_MenuItemSelected",
        "SaSGFpGxBIkkVJE80v4A",
        ".*.J.W.f.m.",
        "}/D]*a",
        "fEoHyIeiOS2tDY9fo2L",
        "EW2cw7oU55lgVUPPvW",
        "VVhvi\\/v",
        "<&qI3'QM",
        "ojxv9NiyDj",
        "Jd1O8GxPY0",
        "}XX@o",
        "wA9Es9s05y4MQ5NTncu",
        "hRpu[l'z",
        "JJvXOtGnb41gtqyDNCen",
        "MEnwCl9zlIqTMM66Nf3",
        "e5IwW3GKtn26rQ2KEUUY",
        "BuqPEVHO7i",
        "nRxuy}}",
        "gFiuPHGI9g0s8sfi4lG",
        "y11LfeGlraxeWS4mOaW7",
        "get_ExitCode",
        "QqcCWE7m5o3F6VrkVvY",
        "f+^,h",
        "WMwB8P18oFOK5oalNgN",
        ">)uwP",
        "p4YNL8GAgB8k3K5rxxv4",
        "CKTTAfy1LZyVRmsdfi0",
        "ClientReadPacket",
        "XZ9iHyTR08",
        "unP(&5p",
        "CbDcrCUxyVZ4npwHbgA",
        "TNoWqMGncYE96cmuKGNe",
        "]geE2",
        "e0CsFeU8tvHqjtZ4OtS",
        "mCM(L",
        "H4hRIc6T60",
        "Mn12REGXTrMc6kdMAHIp",
        "@YmC|",
        "qK=Q/PzA",
        "Q(>Na",
        "GSy1{",
        "ToLongDateString",
        "yL\"`6h",
        "rtPGLqoncthkjeRspV2",
        "Button5",
        "asyncCallback_0",
        "dRfbGTGNSrp54ls3duP8",
        "J[ge`",
        "iD2Z51G3m8GdYRhffrPu",
        "WriteIntPtr",
        "W9ywFHsI5kRVDrVA6uI",
        "AdvancedServerSettings",
        "fhewgMlVgH",
        ":BM'g",
        "rTxR09GHdQ",
        "PrepareMethod",
        "1FWa6",
        "8V))y",
        "CloseHandle",
        ".1yBE",
        "QIRoacWRGI",
        "WWEiV4O9YwMs61E5SX5",
        "OJGiynVZ8R0y5GWdVsC",
        "LYHZeCvfS5VVWv1o9Ts",
        "-H6uP>[",
        "amoR3tjhEZHNTLs3mE3",
        "A|rmO",
        "wb+^5*",
        "set_Maximum",
        "9=:36",
        "s;|tL/",
        "wqh99JReCYKWcZF9AvQ",
        "nHRRN1jM19PhPgQknIO",
        "{|p'_",
        "GhW]r",
        "zmF|+",
        "y9oZ02YtOZKPXpn476w",
        "pj10f82QNk",
        "nfjeZ8ETq8CFwSjwU10",
        "gdelegate17_1",
        "SjUwqQ9nSE",
        "napvxf6KoQmPm91w00R",
        "lRlVG6G3V2J4ZY8hJuRl",
        "axL97K8VmwwWw6CSfUx",
        "n6AufHTAKkbss8uaaFC",
        "26*,rg",
        "zN7_(C7",
        "a1tBeJSNeLXRIlNaC8l",
        "m0O\\t~tm",
        "M1Xe6ytX7vbCNYPtlGD",
        "KnGoqL6xcASZuyuaZbA",
        "L39erxzljsIp0D7uYJB",
        "KQQohsGObNu0dobfO9S",
        "_Lambda$__53",
        "xuBUycGNn10V9cegLQmY",
        "IHgvWpGP8DFcmsgXcgOi",
        "(V5-J",
        "_jR'qV",
        "Q`H'4",
        "ToolStripItemClickedEventHandler",
        "SPxCBNGRfrdPHpDEuTX`1",
        "vK8V7sys8N7GeIfiIC7",
        "method_3",
        "RseoZRI8JGT3uZfgNMl",
        "<v{YC",
        "JY31ygRTZ",
        "vHMOTq1TYc",
        "SwIoYV8VsI",
        "lJSKONu5gy5vSfLt4wn",
        "daHQSfV4toPaoW0CCuh",
        "LinkLabelLinkClickedEventHandler",
        "ReadDecimal",
        "{Bg'7",
        "gsvNlVySthAE9WBNTr",
        "pUfaZQkw54smqo0skb3",
        "hv0bjoZhKT",
        "fTQKwsE18scaahDiiNu",
        "jEoWUNGgMfWwp4qUPWR",
        "xpnOvgGI6HqLGCx59inB",
        "ConnectionsManagerPage",
        "G@n f]",
        "c5cwVw5HPHjXlhwWpbk",
        "cX~cT&",
        "pTBD`",
        "method_8",
        "^?mT5",
        "HU~r;",
        "dPseRwp6JLU2OmHuR0f",
        "DRadZMiXFCwLG2f5irT",
        "OnPaint",
        "ZGi{X",
        "wuyb3fxlcr",
        "THDhkb4OsEB1ATAhh0X",
        "W5fTMtH0j7iMJNvJHtk",
        "vlWqWjyrcn",
        "B5PADjK7VE",
        "Pge48",
        "Gf]7I",
        "Y:Ze#",
        "cookieContainer_0",
        "hryi8ZiCub",
        "RemoveByKey",
        "xf8d8mIDg6YC6uHPCZ",
        "set_Group",
        "pf1pdUc5pa20oSSUVm1",
        "RY;3rNLB7",
        "nlNsME9UUvpYJre2gIj",
        "ew5|V",
        "{11111-22222-50001-00000}",
        "eRLQlLDQQp",
        "jtBAekXxKU",
        "C`?0~8\"",
        "AutoScaleMode",
        "anHNMcmKd8g9CvErW8M",
        "UC1M#",
        "NBLCZxhpbD",
        "y45k897aGj268ZI9FDl",
        "dd27DvkQG7ctlX63v4v",
        "UvEOwcqRRKRsEeuNBtj",
        "Rz~ #",
        "\"<r\\)",
        "sQgsY6MofhFUFNTct3q",
        "qJ9d:[",
        "V6sI5",
        "rH4Yws97CnheYrOZRiu",
        "ZjXsM",
        "lm1X*",
        "JMYNpf0djC",
        "B4vgQFGx6LQBhNoiVhae",
        "E676rqpmvx",
        "bi%CB",
        "hwMmHa3jco83xHbsDNl",
        "iPfip4qt5JiuEmqutIY",
        "mx~gX",
        "t1PSFcGAARWRkmEA9J08",
        "Fi7YVmrBxi6bxvwkwLA",
        "obshuoQ7aZ1n8oog9VH",
        "CloseToolStripMenuItem",
        "pHu6D8X4iK",
        "dlKK7SbPGVQXdlAZ8dR",
        "JB0sP8GX2LyrrajtvEOR",
        "TDyMLkjVxcasInZ1lvI",
        "Fwb:B$[",
        "zDhPQmdy1nURnY08KnT",
        "rDeSoGshL9",
        "settingEntry",
        "gvkT(;",
        "^Ir(^",
        "OSYOnnTLC2FlMt0l2Ua",
        "UxA2OEPpxfqRJHb2lMY",
        "youiCLTwR0y1F1hOfFx",
        "SqZupS9mvDLb9sPQqHR",
        "mNfv1FGRt9banH9AlUuM",
        "O|V8,",
        "XD!X&",
        "NpnBEeFUQH",
        "iuUPOv1NMHdCLwg7m7w",
        "MTP35VGrHm4FVWQ8bILI",
        "C4gCVfmVAgRE1kTIoA9",
        "O5mqWLezKnF5v1juyjj",
        "GetTabIcon",
        "NumericUpDown4",
        "System.Runtime.InteropServices",
        "method_42",
        "iRLYFJ6pn4tTb7m9ZHP",
        "MlmP69siSerZvhrbour",
        "dCFS2KONo6",
        "n36FKcGPothssbg865xg",
        "ClientPipeExists",
        "UR6XPseaVKgYnjVmsbW",
        "gcontrol10_1",
        "OnRenderItemCheck",
        "\"!(mb",
        "N\\B0i",
        "qc/M4",
        "VNSSW8J6gbMMNOs9WeU",
        "<?xml version=\"1.0\" encoding=\"utf-8\"?>",
        "kcd1vWKAjKAGxB9PF5c",
        "f1Tp0ZVa6",
        "S{z]2",
        "gclass31_1",
        "MEphoFViMGmCjQMvlLY",
        "Xl5SXEGUqu",
        ".(ru/",
        "B5JlPRGVU48Pwf6dv3w",
        "jpIrCbcHOp4LsjCxkuv",
        "UCKjTVv9EK",
        "owka7Nx0CWyTE7KsNMK",
        "O934qmDPV3T3qdAEuZj",
        "cquTkrGPToHyn92B6Agt",
        "IwhQ71Fq8sqG7yMjFaZ",
        "AN3RbmgjCaBcbbgONbE",
        "L37MJJGL2ctnnjgo22s1",
        "Gr4RmPNx07m4KjmPIn7",
        "OYL0hoPJn2VDnhvYkCc",
        "LinkClickedEventHandler",
        "Orientation",
        "Cursor",
        "{q0'T",
        "j7kr1IFTpU",
        "Y5QvfJJJwN",
        "<8851N_bN",
        "poijeA3omf",
        "Ee50v3AaRT",
        "IListener",
        "hDy1PfGypw4xhnkyS8rs",
        "y4msC",
        "QJWx5qww6h",
        "set_Font",
        "h9YKxAGVrbW6mDUmL6YD",
        "Enter",
        "Co{B}k",
        "@';Q,",
        "fhuFlGalFuRs921kucD",
        "mwIwYDGrntlvq66ARn46",
        "ShowAndBringToFront",
        "WRwwsFGAaC5VFaacDfTx",
        "LL=]9",
        "{C7uqo",
        "zTVenBB7KnDyk5Ai7PP",
        "&? $yKmTI`~",
        ">W=o/",
        "apLeKE5Kea",
        "IamrOCPnXd",
        "jT2nUIwf5N",
        "AssemblyName",
        "PHnmNYGxavB6Zcie5qOw",
        "NewsBrowser1",
        "XstZl18ZVliUDboyUuW",
        "mN805GUdxq",
        "<dhKUF",
        "Label28",
        "UN7omZH0KB",
        "set_Value",
        "/z4x&",
        "TcbCRdOSSG",
        "a1Ickb5QaGruTUQ7ePt",
        "Q709nDG4ORhiehXfcaJh",
        "G8FSsjtO9Q",
        "4(4J4d4",
        "dx<#U",
        "DA3GetTGivlxNLQa3Gg",
        "wWF7C",
        "FormClosingEventHandler",
        "PUQQh2y5Su",
        "NqjjnMhXBx",
        "TxueGIYgpH",
        "QmjN3arco7",
        "HrdfyQNRekwKM0ytnUK",
        "Yg1odi9d3deqZMV2rup",
        "O7l10XGKV5QPXVJmXqAQ",
        "rAg1R6xsUU",
        "\"Ow3P",
        "CQPYlnGM2cikkcfnC7nd",
        "qBvxXpKjYK",
        "i36DDTcXQCtTrCSmyHV",
        "YysvoCy5DmBtlL11UpR",
        "BOlZKsGGzcTu1CiOEEaO",
        "LsAXIKVVSJYhm1soiFQ",
        "swe1fl7ub2ZZnbBJNVS",
        "wBVbDrkb2080Lv9s9Eg",
        "N<mH'S",
        "G2kx8TGNuvO8Ff38SN38",
        "mtZsuySLnKAF2iojTC8",
        "qqNYFrRc6KepUhV2T8G",
        "uxtheme.dll",
        "q4yaqLGMo2guT8NjAlR1",
        "U[]\"0",
        "TNsiKe3px5RoVaIjjnh",
        "glFnwPglLtlLrc1unyX",
        "lOa\\v",
        "kWlCvKfPxsChoDIRfNx",
        "KLq6UStYTbUDbL48jWD",
        "nxdvKrQHX4gZknjCSGs",
        "cCXATv4ycu",
        "nPYjWrFxiTHGGSUovc6",
        "6A~C3F",
        "iE3o0y5KH78QDnYxS58",
        "jfyILIoB81ZGFoc8btI",
        "nuVRCBdwIy",
        "FWazx",
        "c-|xS",
        "W']%$",
        "ugxjXDaOOu",
        "K0TtBburD",
        "method_24",
        "VVcqDfyRcd",
        "5v W_",
        "Button2",
        "wTBqjkGIaLDucHvNEXBI",
        "#F6lA3",
        "NanoCore",
        "PAXbGG1tXYc65CwgHod",
        "fDacogffbVjE7fDVtbt",
        "rUO6N4rvjqMXWVFgMn4",
        "lgsg4YE2mrrTOhH7CD",
        "PjUtORwb7vCac9EBpF",
        "e43pSoGrmGdkw5CIJfhO",
        "RwBMEsGmnW8MEhdweuLY",
        "PvyfCAMM3OVauvVUEnd",
        "h<|}1s",
        "yE4FS03XHw56b28aCE",
        "eWrFQcGG2egLcrudEfSj",
        "CeV!W+",
        "JrLq8lGYnD7gpr7FC18",
        "iOyOHxNasS",
        "zXRc5a6D153bSu6JdCp",
        ")v?(Fp",
        "mt0JIHxsvf7krJCbqTn",
        "FileDescription",
        "NuCOJSorI7",
        "MRLWcP31SDBQpn2M2Um",
        "PsfSNvQnCO4SDUiUEdT",
        "tCtwvyGLrv9WjQfGPQ2J",
        "ajw !",
        "QIWAWcVj1L",
        ";G!FR",
        "?`kP;",
        "MZY2QAg4xaQ6nJcE3oa",
        "KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator",
        "pDwbJAIGQB2dmghKKLF",
        "FFanshd8NB",
        "[w>'Wh;",
        "dYOOlea6K3",
        "u aw0",
        "#`yk`?",
        "xGtB5I1o7aCiN8OxtfU",
        "AGpAyfs2xdTcYALRc5h",
        "mrQoR8Hj3u",
        "y7WkSZG4TdAG7nO1fEkS",
        "set_ImageScaling",
        "oB6OykbF5b",
        "`cwX/",
        "hW2MkruGtkeoUMNiZGo",
        "!gu(@",
        ",]v|;",
        "ldWevi2ex9NKZ6Xch2A",
        "uWCEKxGR9as9aCL0kW75",
        "J8ZB65GDIG",
        "uCn05TNQfWh2VDMxVSy",
        "ikLLo5GK5YhYgoIXZaUv",
        "UjZ13tGVxRxI3SGQvGJX",
        "TnSjGVDme1",
        "UpdateNavigationOrientation",
        "get_Information",
        "BvDWlqscPKZ8wDItjh1",
        "F4PJh|",
        "UE1rtkYMVqiCtoa7a4",
        "oIPxrLxi8QcRtKFqvun",
        "j3tXT8HdWKhx8c0D54D",
        "a4VC0BHq4GX8sh5wEXo",
        "aulSDm6cRIFRcLGn8rM",
        "UCnFYKh3Yf2pAiSWo2D",
        ".H6kel^z7",
        "M`<p/",
        "%.-#t",
        "cmFiHcR66Q8Fj3htS7T",
        "iJM'>",
        "%:f.U",
        "bfhPd",
        "GetClients",
        "ihgac22MPp8U4KOmXjY",
        "J2BRtlJaw",
        "_Lambda$__42",
        "UquQULGlUKaVOy9ksIbL",
        "e|*}_Q",
        "Y7rj0FhsaNJ2DFZRprF",
        "f{P^0.",
        "1kd t",
        "R0sVAckKlm6GXu9OkW",
        "get_Control",
        "Q9bSgLi0Pi",
        "KxfO305TGXrLOCxpGpb",
        "get_Transparent",
        "Ks3n86ivCtrAm5VEn4Y",
        "o\"pu_'[",
        "fEbql",
        "file:///",
        "P16yyLjaBX",
        "MD5CryptoServiceProvider",
        "w8M66d0HioEl7A2dw0b",
        "0(cuK}",
        "7&;Q.",
        "AddNotification",
        "K1Ysxo5CROPdG8nn3a1",
        "WCwWp4G8oeaJH4FdYgaC",
        "get_BytesPerSecond",
        "CMPRfYcyGI",
        "BnWi9n7OjPZMUpebqPL",
        "SG78IGk1Yp5qJYx32Un",
        "\\'7>|s",
        "L2\\44n",
        "hstAbxfLUyUU9WVX6GL",
        "P3kimmR2ipCH5RE0KU8",
        "categoryName",
        "zoYNQKh5yM",
        "B1\\s>",
        "3%7/~n_",
        "dK9KZhGegn0efoMnZrBv",
        "Th\\b#",
        "aHMefZJAk8",
        "XF74h",
        "BoVB5UwfKJ",
        "AXoddxukU6JtrOghlD9",
        "j7JhB0JLgk2YEkPAKUn",
        "dcKTEuBXfYjfNFo8TDs",
        "BFTyv1Qbet",
        "`[=E?",
        "GClass28",
        "JOIHLGjtJsH0OgykUVj",
        "n1v9FylhoCQwgmMqP1B",
        "ColumnHeader1",
        "Jfy_0A",
        "P{VELGf",
        "hp7Hh&",
        "X\\rqj",
        "g`J^v",
        "HZPyD",
        "dUDf6ZovvKCyfEHUqMK",
        "HHGkitXMxoPa1UAG4cQ",
        "RVP82Weugns7RHbLouV",
        "ReadBoolean",
        "NTjf9eNgWKZTk9DhwwT",
        "Ot8TXmtU7lhOEGisWJZ",
        "OT0RtlJ055",
        "System.Net",
        "ygReIWPKYp",
        "_Lambda$__35",
        "HOZo0RKc26",
        "F82Rs79k5BcP5BIUQb2",
        "J5DKbGZeFIAuJsu3508",
        "v7WC6Jbakj",
        "IF))[7",
        "Stkb0oElqu",
        "IServerNetworkHost",
        "xXDA3XGTuD",
        "FG_'L",
        "NKlM6onNXSOsj0AcwFK",
        "i0p62HGwtcbMAxNZHw9a",
        "Hl2.=4",
        "HoMo0HcBRMES8dKjeZO",
        "2*242J2^2",
        "VirtualAlloc",
        "zY`jU@",
        "sB~VIt",
        "imageList_2",
        "\\.W^q",
        "pPb91SGYsXMokPKTSvog",
        "BdQed4WIXl",
        ",YK9tz",
        "rne7QF6e1B5qAO4MwW6",
        "p1lcvWG4vsjlmUyPUWuk",
        "IUhrAlZJQaURpn2V7Sr",
        "tO6v10rvKq",
        "dnsapi.dll",
        "CultureInfo",
        "rKNFsjGlVUNjIR9JQHmr",
        "WvZatTkKawMMc6GdnNN",
        "mk\"CV",
        "LdwSiVxnLa",
        "R1dlJ",
        "c5PxN6mkLc",
        "dmYjJhJ0896AUKcYfyB",
        "GVeg1rGAPfUU5RPIw7TT",
        "kFapmkG8Zr4p2M0UX81N",
        "KkdTiMP9vvyHdGh1I9b",
        "Ucs5d8Bqu5XCh1w0kTf",
        "%.k/O7u",
        "GDelegate7",
        "{j+gM",
        "DefWndProc",
        "KW46rjlje6oBuOtEUkF",
        "xQAAgsXXGanKOIMZcw6",
        "jJRqE",
        "Close",
        "gBRy9yihuU",
        "IServerData",
        "DrRxPqGMeSJsUvlokEPn",
        "lF1rG9GgvE4H4UNCgj6X",
        "FBoYPvu4VPiB94272P",
        "{hwbL",
        "p8LxPpGbgB3A1jHPDOf8",
        "VeHh)",
        "Sw23WQ6zZwtl5QEdYkm",
        "*k0h8",
        ")5T3R",
        "CvMbniGGmwTE4JKEeOL",
        "FbikTBo2nMWoEn4ubCi",
        "Kk2bLmGCJ8U68DWpOX4",
        "YARfrd8NAWuex3kC0u6",
        "Lk51qBpXPaM2vvMnf1Y",
        "J6kJNXWL8aSaQCeZSjg",
        "jmMrIeGmErcbNshEIxJC",
        "Dm9S8DGmMYfmYrbuGAQn",
        "hC0htf7KJ3AhsKEbCIG",
        "mg2rCQG8ijG49bykPul1",
        "PpFenOuTWhpCXAldIGp",
        "i;/9}A.",
        "Gk3TSaKpTG5SrPqEO78",
        "DQMl3efykX",
        "WvnoDlUWs55buc0kadO",
        "Bqq8KvGw9eZ9TVCyE2hP",
        "ghoJBFrOjq",
        "n2sOXbysdJ",
        "__StaticArrayInitTypeSize=64",
        "6ppM3G%,]",
        "kZy4fO89a9lGebD2vis",
        "wFgGIjMjfBIWX3ixHEj",
        "F999puSoaD6PcjcfRnX",
        "agBAM6F13v",
        "ciCjZTeJEagVuBtPqfC",
        "{fydk",
        "aWI01YG9NXiaCYhndLM",
        "kHYHAhqWn4MGPh2LlTL",
        "eqcQ9odedMjXL4jh5Q6",
        "xKn7rcl8YQ5LnDGcPmP",
        "tGZCnKG876KIR75KBsL7",
        "imNyF",
        "K*(kS@",
        "yyILUiGfVfQSMXMaoSNd",
        "dl9BEW9gXhXup4ZKQCr",
        "TVS12KGZnyEUiMhYxEWo",
        "R1g1YRGyd5Md8VoWAOZZ",
        "E9cB6qGkhOpWWfbkxF0h",
        "ThemeSettings",
        "IServerApp",
        "set_Top",
        "NCTbxcQdMu",
        "T12ZwiijxMkBAPuMgtc",
        "GClass29",
        "G0r:t4=",
        "Kqi9COKCHBqXO6AuRny",
        "idhGjUGmqEYJe9h8w8JS",
        "cWQwppEU7kVmi2YVRab",
        "ProtocolType",
        "SWTSWqBqy5",
        "&i\"}`",
        "padjNgp3oh",
        "nh4bsAMLZC",
        "_Lambda$__6",
        "EndInit",
        "Ncj1vkmjxrdXStfxguA",
        "fO71mm7fK3eas0B0otR",
        "int_11",
        "WQiDk7GVdUn6UlLkpEFt",
        "nPcb3reYoMrryc8SU9d",
        "RuntimeCompatibilityAttribute",
        "uOSh6vVebYlbl3a1dQX",
        "Qj6G3uGK9sx5NSmh9NFx",
        "uSvyV8GIEtmNE1a5UNn3",
        "AlGS3J5Aun",
        "]rdRe",
        "aoMOVI9RyQ9Ka22KXss",
        "gvEaFL5DnGKFaFR090m",
        "ljAueHx2Uwp4a86Qpsv",
        "mJXD47ZC5Cpk63m3sXa",
        "My91fvAAFe",
        "s2aqkRnES",
        "get_ContainsFocus",
        "VU8w5gi3nm",
        "CreateInstance",
        "AGfy77AEdN2or1XS43M",
        "aNjtR5GvoQ3vJyyAfSm",
        "aA3HejGGZMsXP2xRaCe0",
        "P4yUopGCeJIO42gKTuZL",
        "hSU1toZll2bbjnthIEF",
        "ymjp8UFDlL9ZgGVygLu",
        "z6K35vk3kY424lPXuF3",
        ".$a]k",
        " 3NXd*",
        "JrMIece349T3wjCiE3K",
        ":|n8O",
        "i4bl1dGuI7",
        "LlaytyubTFyp2bTGLeb",
        "OeswFTGI0fECcYyJK3sA",
        "IconDirEntry",
        "KD4f0FdZm4YHS7OOCh7",
        "Kdn1MALrTsNnrZxxKo7",
        "QIrQYS9v0crdWmwG1YF",
        "~<V52t",
        "OJfN1nt7cG",
        "get_InvariantCulture",
        "3}1A2SD",
        " e7kH0",
        ")zlU8<",
        "j0a3hFGCvdmY5DV6ryBk",
        "HHoTBZGLsEwEGe6FYf2N",
        "c0rEK5GxRHR2SYeZAMsl",
        "MDBt@O",
        "eHDGM82BpsCcDMT1HL",
        "FzG_y",
        "w8ejh7Q98B",
        "uS302N0pVfx3u7hoHmZ",
        "i}ZM?",
        "iV6BOaxI2ZgauaMvNlJ",
        "WFUa4",
        "JnoxGRGIdQUYQL0gtMe2",
        "oKACDNTGZF",
        "classthis",
        "F,]F\\",
        "kJfy2UMLsK",
        "/c]aU",
        "ObjectFlowControl",
        "rZSPvN8Dlfl7VHUZ7qJ",
        "9H};;y",
        "EJgRlE6s1cobFexWLAt",
        "LogServerException",
        "*rbMc!",
        "(Q+ff",
        "L3Mij8u9neClxaDZb6E",
        "D.fF @-",
        "n8WToHGbzP3fKKXE5SZw",
        "zLFH5eGMaCoayc2vMFBw",
        "CheckBox5",
        "]5MEs",
        "xMYkgspPkQx9LUE23AX",
        "U2yDR/[p",
        "BFy`$V",
        "OkF7wbGbXrpClRZpSMwY",
        "% u)>",
        "k2owsDZj20",
        "Dbm2UnNAYNsi1uFbmDE",
        "$$method0x6000279-1",
        "yxCkdrGML5mhVcT054JE",
        "06kc}",
        "NmthTMAthieytxRGy9F",
        "w`f:F&t",
        "fqcRpyqL8W",
        "(@kd(8",
        "sDQx4DZE3VkkLxOxQai",
        "get_Persistent",
        "d5Uc3npJd1EYElKrTNQ",
        "IEnumerator",
        "TrMBnh8fJhe8na93Waf",
        "$K^E~j",
        "k6gndu54qp",
        "MSAW9W4JqqDdVPUboKt",
        "nAMIoVGwwWu2n8RhOaFF",
        "jlSpnSGerOCBbHotk60F",
        "8q1g-",
        "oFb3BYc1jAK1jsBq0Qq",
        "yw7kPJGrixT48pTs5Ag",
        "ToolStripDropDownClosedEventHandler",
        "WndProc",
        "I>8uN",
        "s3qXrtNGbG9VnWJXN0a",
        "ABUYPIoUB2gtBaeluDp",
        "yB82ixsg9Hxmud3kHVy",
        "IsaYy5GnKD3Gry5eSPIj",
        "TQqCMXeTX3MFlcpBQfP",
        "kklvKedGYD",
        "g3JIlKGeen1MwDm0tbqI",
        "BDKCY.V:",
        "Collect",
        "method_20",
        "tO0uwlpCe3BeyJlaeJ7",
        "DrawImageUnscaled",
        "VpewcMGhIauAR7QWtP5A",
        ":jv2\\~",
        "\"w?& ",
        "imageList_1",
        "ReadUInt16",
        "tjsBGTGRkgiNMoPtwSZy",
        "P8kU3IG8aw0PE4vy0vlO",
        "QtJKU1W08SfnMFxwS4x",
        "Xwt3FGTJk29WSICeUhp",
        "RestartFileTransfer",
        "y6LwjwSbiZpHPyvguld",
        "_Lambda$__22",
        "Qp2dt8LHFP",
        "ewNQs6rf1N",
        "label_16",
        "oeLBimpLKdGx42Y7f51",
        "ASOPdDpzfaDe6oI3Pby",
        "-Av82'",
        "FxsHJGGR56mDWUOnQxTO",
        "/Z]=5",
        "TGBq8vGXPZMQJ1kreydU",
        "Y0ksFfGRu3RMqA1tOKXE",
        "NanoCore.ServerPluginHost.IServerNetworkHost.AddListener",
        "DB0rlVZ9wZ",
        "etcL6BbLPyduVFANpxa",
        "u9VaOBZIyR9Hoxgg8QV",
        "rXWiERgO8E",
        "nHooTVJUtHBBAnCg2Cw",
        "Image",
        "Mm7VcvGyyHRskZPqYWEx",
        "ru6JnEGrhAs6DY9LoOJ0",
        "CuZS3c0Wx4Cj6rTqHPU",
        "HhL6hmHjvBerkirjuO",
        "fUlj1ynBctobxl4QMV6",
        "XAC8RfbB0xNgE67Rv7k",
        "akZSGKFgNtCRwsp5QKj",
        "KJ0T73czvqWlQRQvXQx",
        ":9zP3",
        "a2cK3t5eUHOXUDcZxaq",
        "addedHandler",
        "GT8yQQ5s8m",
        "hoCODoLKlE",
        "XLerweNsEO",
        "E1k58",
        "sLhIRUEP1kSqYfLUXDX",
        "v6ADCElcmGyJ4U0NZvi",
        "ngiNXhujUWmGkDjYmeV",
        "t9pc6wUlHM6DyGZgsJd",
        "yV\"%4K",
        "gdelegate2_1",
        "aUZQ9ljabH",
        "t}{/@",
        "r4FY2pGJbs",
        "u+/&o;*D5",
        "FG&L`",
        "VZ4jM6j4QViiEFSIVE0",
        "Holttd0s2gvC1vsIdjj",
        "wNd G",
        "y:D+_",
        "ProcessStartInfo",
        "jaN1hiAlI5b8GB3IYyq",
        "muXowpMnxm",
        "cacD3ef3KV",
        "OS2vd7X5RoSDomWfID",
        "O~j37",
        "pXt96Wni1sVrXkGS7Cv",
        "{q=eB",
        "Footer",
        "ListenerAdded",
        "f9CQ5euhtaCPg7HrK0m",
        "wH8vI5lTRQ2ooRUCxOS",
        "&0@0.",
        "oN0nAHG8NbfPlI8HlbhU",
        "ymrAHFhQaVicnwp3rFV",
        "x18SlYA6ch",
        "PJxgtoft3PhSeJMaEYI",
        "l9Wm6eGwpr3uwEIIdmJX",
        "MXq8a4GN08rO8eqdd6EA",
        "shEb2orYQE",
        "qhpcF",
        "VINy64GGx77ZLSn79trC",
        "Owx506GhW8yVbIPEaCTf",
        "\"1ZNxw",
        "!9XZI",
        "NfVlc8Q0bF",
        "y3l6ZcGw17K3NgHEy0f5",
        "set_ThousandsSeparator",
        "el>J])S",
        "olu2OiTkRluGLua8VCB",
        "TrIA9n@v",
        "add_DragOver",
        "zvU<8*",
        "anXAhcLzOwcG5XbpO0j",
        "i31vyCPy6x",
        "pDcShXsKyqalSJia2aW",
        "Vu;?8/",
        "jIR6K2OrFAKuEceVDVE",
        "zjhXp9wR47jCa2je4Wy",
        "get_ClickedCallback",
        "[F2&o",
        "Initializing",
        "Fe95Aslueol5ZiISgs1",
        "HI9hshFI2K",
        "AalZuD7sJ9i6cPhcXnb",
        "eh)<*m",
        "RU32f4sqK1USVhfSb2M",
        "rj8dKfPDTV2CWjx9dEu",
        "RkDiUsOL4s",
        "^xGG-7",
        "JU5it4tUOW",
        "jqEL;P",
        "ICJhLmGf1NMORATH7GMe",
        "URtflLyWBcoOn9MKemY",
        "MMCxj8JWs4kaQWMDs0Y",
        "(BGQ} ",
        "@JKM 8",
        "set_Rtf",
        " _y@}",
        "enpLFKGMIUQg3DoE27aO",
        "ControlCollection",
        "AddMinutes",
        "ki3s46GV32JZ90gNOn8y",
        "ToolStripDropDownClosedEventArgs",
        "lnHnGeGgxTm24kHbSnfJ",
        "aJFePdGYLGMM3WZBmDCp",
        "P1}RM",
        "O\\A+V",
        "{c28$Y",
        "LrFT3wrkc1aSbqOgwe",
        "EkXAJfi5GX",
        "gMhgogZgfJZkA0R3eNt",
        "fD2J89FeQ0",
        "Label8",
        "cLevUY2W9R",
        "otvDeuTBth",
        "R1OcG ",
        "k%C<t",
        "l7xKvMn1Arq9f2uUrb0",
        "n<]y/N",
        "u7,@c",
        "y5wcNt0YwYm5yZ3Vt4b",
        "aLUfB6XgDrdPIXR1Eig",
        "Q>||H",
        "yh/SsF^Ur",
        "STKMGQGmvaL09FOdQ068",
        "get_MetadataToken",
        "*aps~",
        ";wrpj",
        "C?+x3",
        "(8A4M",
        "z5weslHIJB8P2OsPShS",
        "TSw&d",
        "ykLoi9GHKJtyn1N0Qn7",
        "dRkNxMOvpo8EPqpkde9",
        "hskBKrG85RuSQaE9tXks",
        "gT7WM8W6Kb6CIM3M9wZ",
        "Fb3hL4opkwb0wBmpexl",
        "t$Opa",
        "tc8BGMh4JQ5BBlr4Zwp",
        "gdelegate4_1",
        "dvPoTAJYLO",
        "get_Now",
        "KXocHwUVO1EnQU7HteI",
        "fPXdbnGxK8iYiC59wA0w",
        "/PsQ(",
        "#IErq",
        "lEh7UsfSCXXiy2u7WJY",
        "R'/4T",
        "aIoiNeGVGqvZ3rsin8Mx",
        "ListenerStatus",
        "GcAZZCGgMy51lAadTc4Z",
        "Delete",
        "PSFiuaIAyC",
        "aXE0HPzRgxye4OQdEtN",
        "Nn3kZyrJq9H7oM8oGbZ",
        "\\WsXz",
        "hXUZf9GfkKqnca6QcV7H",
        "<>Bq*",
        "CImqh3pp24",
        "Label13",
        "yD*>w",
        "`'\"0d",
        "X5M1YuTiqlI9ovC0Kb9",
        "#als4",
        "Label9",
        "QNdUR6G89fb65pTjRvEN",
        "notifyIcon_1",
        "E62MWmtZp1VTENMBmoO",
        "fWUBhM2g4Q",
        "AddServerSettingEntry",
        "XGHZD79cMGnxZ4bCfn",
        "AdvancedBuilderSettings",
        "xTYSP0ZyGT",
        "ColorDepth",
        "M`! JA",
        "X0N2gmbD0ODxSWmPvMX",
        "[ic+<Y",
        "YbkJ246VOv",
        "nynhNAImeQ",
        "set_ListViewItemSorter",
        "EPP5RBYBxL",
        "lnZ6KqH3vK",
        "E-]$y",
        "-]&ae",
        "`V] no",
        "+Ubi0",
        "giChdBGPrqBiwL07xqTh",
        "i#;}\\",
        "askwQiV727vWvat4uhH",
        "TYYY53G33ZUgad84P7Td",
        "vB1ZtUDXogS4rAx15D3",
        "(((2(X(",
        "VXSLKV4QZ5ecBGYMcMg",
        "AddNotifyIcon",
        "GTabsjYAIxBAuLiT9AR",
        "VmGogK88Tl11AWwZ9gi",
        "cUeXxKGrrks1Xu6gASSg",
        "!l<!J",
        "IUQbKn2RIi3QgupAbod",
        "FooterLength",
        "#mN#G",
        "=?+7i",
        "qn1L1qKlpt5iYBv8sG9",
        "WtXYopvBhR5bDRkX35U",
        "CRk1Hgr3hETcYDalSFT",
        "pVpCmvT4nN",
        "xCIQgIGArNRjoOFZToBV",
        "w 7%{",
        "gNIr27lOsLeO4qpLvV6",
        "mlPOK",
        "f8q8JWpoqHpkgtl39w9",
        "DrLqr3zEA7kdcYF1Wu",
        "~ 01Z",
        "qBwPnp6gWkM5jlQ3mpf",
        "yWSJSdc8op",
        "n2aeQxM8hK",
        "ORV8mVG5fEYX3sFA0WM",
        "get_ForestGreen",
        "fXlR7Uc3nf",
        "UAqegytsiKrxrBkFhVI",
        "ttAYorGVj5xlPIZk1oS8",
        "Y[[ '\"",
        "IqVd6pRHCtPUZ98RFjX",
        "get_TotalDays",
        "CyXEfEizDfgvT9P4Zuj",
        "QDQyD2GhjIwVlPPppDF5",
        "MqYfupG8UoVxp24vngw6",
        "@Hf(t",
        "B2j63YGw37xWHmv1toY",
        "lQJHAc202dkVmSlM1Fn",
        "_O|U%#",
        "(DS3{",
        "8L1a_",
        "RkuMrDTg8atiDQ6MruD",
        "kX7ZIEdCy1gOdaXEBRW",
        "9VOQO",
        "NanoCore.ServerPluginHost.IServerNetworkHost.DisableListener",
        "4&a5m",
        "zlkhtIsn8lfANY6Fe5c",
        "SB=mX}V ",
        ">;'rc",
        "Convert",
        "get_KeyCode",
        "hd5Wl0eCvFWhxtcVJmH",
        "otk5pTQs5P",
        "WM\\y,",
        "9I:Sn",
        "BL,@Z",
        "kAWd7hErcs",
        "f!jw=",
        "Cd3CRDEwyxC1S5slqFT",
        "UsYsSqfeWUxTDuQl8o0",
        "BaseCommand",
        "CS1YU3Tcqd",
        "FkgFxXzmWlorRvIfmPk",
        "y7mBwjGKo6bTHeWuArRw",
        "7!%DW",
        "#gn!|U",
        "WirRGrA6kxPLA2OlNO3",
        "YMaahNGVZSpR9QyGUdXm",
        "&d#f$",
        "IER<-RI",
        "      <!-- If your application is designed to work with Windows 8.1, uncomment the following supportedOS node-->",
        "(ZwpPot",
        "mgeANayHw6oEjJGFtb",
        "BsLCdKGC8p8lLsIBQOE0",
        "checkBox_4",
        "up2WaMG3LmV65LQbrBCi",
        ":vFWj",
        "d?GG\\(",
        "get_Locked",
        "$]2`O",
        "sk80J3GZDQh9qyQVexhb",
        "int_1",
        "ckuLVTwYvL0mJ2Tt5pT",
        "Nw3RhXMgxEEKRucR3ZB",
        "jxBx2s",
        "hnuldkGgvb3Vm2QKse3",
        "yjdrEdbLPT",
        "Sb7xdnipQpbeJiEYNoC",
        "t9O1 ",
        "hdKu+QrQ",
        "UyoQXWjXoHKAYHhJIou",
        "Module",
        "wJfJ3UGbWuj4QPQ7ntpW",
        "NeguqOcMDQ1ptwrlrJr",
        "9gC(Q4",
        "G!7W=.KX",
        "m4lhvvoFVjhudM6Ayc0",
        "YwNLqLuExhJAd773Q7H",
        "ecIhOkGZKTBU5PfQUZgb",
        "oR9dymjaPBjttvyYe2",
        "_l+&lp",
        "JiQComGXqJql0aB96OGD",
        "gIPddwxWoQ",
        "@`NW<#a",
        "w<8R@T",
        "qlLDSaJA0IGEYQb1Rac",
        "aVARskDHDPNHX7ViEZk",
        "yIUufO0qx52DetGDo9j",
        "{}*gTV",
        "VariableChanged",
        "@mm;EqO\\y",
        "YVHrsFLd7",
        "eemYe6b5DL",
        "yXH4lP[f",
        "9?Vp{S",
        "MenuItemBorder",
        "IfhjAAFPZqvtbWuNBqW",
        "|'JP`",
        "wyMfkIGy5UgZkMEBL0Nj",
        "get_NameText",
        "yomRnoRUbttuMg1CfH8",
        "dpaoJUU2Nr22CNObfvF",
        "SitV<",
        "tPCXapziktx0TaSRO2h",
        "XxTPMWfohXfYYxnKQ6R",
        "QDYWuSG4jZPGYo2gAU6X",
        "xvAP5AyhJUEEeNcTsdk",
        "z9gIorXrM2p4JT4hlgf",
        "tXdvMI4GvBTKoN2FOY3",
        "cf3dLdNHo2oL99LELDK",
        "S6_B(sl",
        "ToolTip",
        "Brushes",
        "DialogResult",
        "mLDTLFGLRB4dBgQHyMZy",
        "fgdAc4GIr7obXUSAVUYw",
        "hTWOgKsnue",
        "TZrtCfGek01uyvdIArSb",
        "IGaDPgaBpF295kSMEph",
        "KaslrsSFVVpRIgNpKSU",
        "nativeEntry",
        "get_IsEnum",
        "g0fCYxoyJN",
        "Silver",
        "set_Arguments",
        "z?WF&",
        "nS3BPYzWUHi2c8gOIaA",
        "K/vu@:N|",
        "vd1475YGjSBWjFl4rw5",
        "Fax0pc8AY0P95P1acUh",
        "WriteProcessMemory",
        "kPRQf5SJ1G",
        "b|U74 >",
        "QvMO1lGVy76sq5FcWySs",
        "sUuPvPGNblZBV4a0Ra8N",
        "OnSelecting",
        "CMc5QNhZ1kPYwHl87Pg",
        "NKf0gJybRC",
        "W=gg ",
        "g3[Bm",
        "g2VvBqK5NV",
        "NXIw1tJJttuhVYUsVT7",
        "rZHSr1GXY4TRZwW1fmH4",
        "mm7d1QZsLMSKX8iFR4I",
        "eYyFR8lXUJlkcSv31u4",
        "HNAPXJmmqJLY39GGerc",
        "cr1m0uBPW4rmZ8T7cPd",
        "JolSwJbEUeIiESbExXN",
        "Y7ZIgjlwbGZdf9rArXc",
        "Z9L,0n+Z",
        "nZrGighJJXuOlpFXELA",
        "zgqJQ0NXDQ",
        "EGKnOQW0aj",
        "EDW5jqpkp9U84PBkaLE",
        "OgawqUX5f6hMiiXTQbP",
        "GjX8Z=",
        "MLJ5pPGY14tgL0VRJqdU",
        "EAi9qjGPhZuOAaIvar7C",
        "get_StateChangedCallback",
        "Y%\"VR",
        "d9empGGndonybcNGLmfc",
        "B5Lpx9KKqf9pP98YLfJ",
        "g\"aGD",
        "Qj7H?",
        "get_Priority",
        "w0e724ZdMufhTpV01Gx",
        "hh{T>",
        "wB47FZGm60rDHkVYpbJs",
        "AssemblyCopyrightAttribute",
        "2t6&50|",
        "GDelegate24",
        "tq56VbGN2bmFKFcPSP2M",
        "pWi\\b",
        "set_LinkColor",
        "X8gKqltLfitPdXBbBgO",
        "4System.Web.Services.Protocols.SoapHttpClientProtocol",
        "m1wvacGlWuCemM0t4SyD",
        "MF9Qgv4P7nqKahqhVZe",
        "nV&(R0:D",
        "ToByteArray",
        "fJIOKw8qy6P4LwciaY8",
        "CS1LrnhH7aKD81PS6vu",
        "twXismvy6Vy7d6ByAyb",
        "lWiog2Jw1xe4HixXqNC",
        "nT[P8",
        "s^5/L",
        "m44BI4GPbkQhD3Te2NOg",
        "NPpCeea7mC6Ab4toZ9a",
        "zTiRDwGG9T3S14eNChXs",
        "BkKLrU?",
        "l.'%#",
        "Q4DHqqbAYlQfcALIYqa",
        "=VN,e",
        "YxgKkLWVkXcfQBqsils",
        "zTCeHOLa9Q",
        "O0O3YDmcvNQF250IiYs",
        "ewRBT0D4GMvkQyjRvsW",
        "kq1U5qHvMCL9mqC6J66",
        "VoteChanged",
        "Xm16603QFv",
        "N.5Kc",
        "uYX,Q",
        "IServerFileTransferHost",
        "Tsx0RkYIwA",
        "get_ControlLightLight",
        "oyOj71jIfZ0uZk83n1B",
        "RMxxUladBRUyvnso7gl",
        "yFoZAfo45uh2vj6KueA",
        "uak3kBut8g3Ji0jLe4i",
        "kK9ofwHPJ9hsxTqc9Dy",
        "ZP\\L@",
        "k6JqJ0CQEU",
        "Djxhh0iwLR",
        "hNgxMdGC4cOH4wEIBk7i",
        "i9WOJiGbIwrSydYaVfXW",
        "=UJ1N",
        "Cl9E=",
        "hMt8DSGWCHf0iivXE2P",
        "JUIAyBKpa1",
        "gcontrol9_1",
        "GClass2",
        "WriteAllText",
        "rxo2D3G8vHFZuRQ35cKC",
        "}=Xr+",
        "mxoib5TjjJ",
        "RA:0]",
        "AddressFamily",
        "Int32",
        "IuI0HS21Jh",
        "UwhbrrgITQ",
        "qT8LP",
        "-4]3-.",
        "X2VYo",
        "50_(p&",
        "TOtvn3ZkF88MB94jPhF",
        "C&w,c",
        "HlDG\"",
        "D@*O,}",
        "FileCommand",
        "(0?RyL?0",
        "}+XhLi",
        "S42nH",
        "cjE2f5RAjFrvg9YCy1h",
        "PPe3lCgSHp4wLrgK7ae",
        "uyPeZ9DKhL",
        "=-KO/9Jw",
        "_Lambda$__43",
        "pQYV^",
        "r j)@",
        "\"fLa-v",
        "NvmZ5lQpgMTTGIU1OrA",
        "VDux^",
        "JqfyYgGrR8at337KglZK",
        "IVQdDY7rT",
        "yjHyWbi0Jp3IBBbQXO0",
        "o>jMk",
        "VhDlK9KZ3J",
        "font_2",
        "jSoqopgyhqc2RG6uCO",
        "oOvqiiubwu",
        "LET5l5D0bN",
        "hrD1x",
        "z,c0jm0",
        "rM7XU3yT7RktjjXnOQN",
        "NumericUpDown9",
        "NanoCore.ServerPluginHost.IServerNetworkHost.Listeners",
        "/nl%H",
        "4~H{|",
        "CreateCommand",
        "IVFlQFadvf",
        "BlpsDasloj0gnVsMAg",
        "BQn1N798a0qnbL95VCn",
        "B:\\p&",
        "YXKOVBplDF",
        "DlEhGa3h7K",
        "NEBabCO0Ts8dEV4rbnx",
        "pXIPlTTSyp7PPO3rYfe",
        "wnJOLrI3GOCodGDvFnA",
        "FUG19N8IvaF1bIHqoew",
        "GetDelegateForFunctionPointer",
        "ACJ3K8GGW5w26rwNZfdU",
        "K6haeunxj2ExL1LkjS8",
        "nKIHoeGnLNuePVdReh3w",
        "F8N5zHoDVB",
        "cK:sV",
        "mf5DXETrXBx8s2ByGVA",
        "24mEL",
        "ReadAllBytes",
        "LRce733BYhrpXcNqelF",
        "guVqUgURvL",
        "tNf1XdsSisy16R32m9I",
        "Lm7iCx6SLHfn2LxB66",
        "*2D@wfR",
        "EA7bkLGbDTG0ghXH4NPK",
        "#4ZblI",
        "kmM6LWrEPP",
        "NW#97v(lY",
        "P8oZPRGG3rNy3tFnYadw",
        "=u-i>",
        "RBVHZclnOHEBYGhCEq",
        "sjzut",
        "~#j4]",
        "9w6)+",
        "AKOMbRnoJ65cYrjKdeS",
        "DrawPath",
        "YYpSyBGbodrVte3R51VV",
        "Yj7iAJGY9DuYv9s6xZHY",
        "v8cBLdGbOLoeusyOUKQY",
        "N<FYZ{",
        "aHDDdW8E2yssNqixWKx",
        "rwcrzG43T0",
        ">T,\"P",
        "eTxhtEGhlAMxQ0cTQCn6",
        "BeL452Gr5nigEYEisF1k",
        "VpD1rKjKfo",
        "FjUyRaGmplmKdbITgwP3",
        "guPi7a767jPiPrW4t99",
        "k1hAo479qT",
        "_:v+L",
        "s\\Zdqd",
        "set_ColumnCount",
        "enHlLl7MpS",
        "al4oKiNpaw",
        "XqovV6TASekhWX8AC7y",
        "iG1B1XRyyuYMDGvCNX7",
        "{[kJr*",
        "button_3",
        "_Lambda$__30",
        "Jm7Rucs5Y0",
        "LMaXCDiISSd6YbqeDUu",
        "JPWe92541H",
        "sgMUUKQfws3fb6qLUoZ",
        "PortNumber",
        "Gu8ejnG7fcUWloCZjrm",
        "cP3gYJG4kBZ23naCS933",
        "e'WT.u",
        "8.0.0.0",
        "NlFAaXQq10",
        "-8*1^",
        "tvlychHlbr",
        "Xt2Ty12dMNdmu8ZXPaP",
        "wJdF7LGyvB9tZJUFA5Oo",
        "}_RS*",
        "XsCJJtoGBg1ftZsAud3",
        "aWaqy8Md5F",
        "N4fwwhA34xgieTlIeob",
        "RcuiMIlyal9tXs2RH84",
        "mGZbwlqI11",
        "wC7UeN3tajtURIUNZBH",
        "System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
        "h3mNkQpM6kkgp4BGQHY",
        "Rc822TwzM1K0v6sOpAZ",
        "QM3tVwrrqbcftwEUKWB",
        "uVM7IeO21uCJrhBSR6J",
        "rX79ifGVESFL4U0b7iCg",
        "^<=Nt",
        "GetModules",
        "E9yq3jG4bjTsOJhEIoSo",
        "Yn5lJiwjF9fwtTUs8FP",
        "AQmYEwk5FKXqs8Bd6X2",
        "PreBuild",
        "XvoZ\";QX",
        "IServerDatabaseHost",
        "bK6(T (h",
        "get_Buffer",
        "\\7uKws",
        "VwnUoi",
        "QjQDLwRktD",
        "PY%0=d",
        "rMP9LDLhFx43Mfwig0f",
        "icdikuGGsDorNkx4Ts47",
        "XlkhfD5NJa",
        "5<\"58",
        "Gb^<Y+",
        "HAo6aUId2VKqmaJD9CD",
        "HfpDdmLXVL0kMeQBTFA",
        "JU'4D",
        "jM9hV3cg0lt2T2VAiU1",
        "yWvFV9Xvd5kgJSW0Emt",
        "Gqxi0nfuaOyAHpVg0e1",
        "Sleep",
        "m0wbROGAoh6H1ZZZdA5v",
        ">lhi`",
        "cqOUvcGbd0tUVreYWqJx",
        "GetString",
        "q!C)5",
        "QFLJOQSERKDaw9CsCo7",
        "FckeS3aLELS7O59rLF",
        "%1%D%",
        "BWh5P36iJJ",
        "DJ6TZ9Mrf2",
        "kEGS9bMk4K",
        "_KQaA",
        "w[2SNN",
        "System.Security.Cryptography.AesCryptoServiceProvider",
        "b.N4K",
        "_Lambda$__10",
        "d0TVMtGxJ1L4tLFvJEpr",
        "dvXO1HJMy70nIdHXAWk",
        "WCWff8GZIROwrXDvTnIL",
        "z7OXB1yEXly6Z1wskm",
        "KyNZM46hZRBhpgjuAaf",
        "DrQQL83Vj6SghFT19YS",
        "ltlWT9G4eIyCywRpeGiL",
        "a]b<<T*F5",
        "etq8nLGx3Piocn472v1c",
        "p0z9aY",
        "      Windows will automatically select the most compatible environment.-->",
        "jx7Js3G8VlGUtavkCcSB",
        "rK7088bxYaAhO6yUbRL",
        "x4ar7CNmNx",
        "paWarm1mWHDZTIcLnob",
        "xDGC7GixCSEmqrhvaeS",
        "TF5EuUGwJLOx0jSLk4Ck",
        "method_9",
        "afRIrwlDDZyp3FwD2wJ",
        "cGE28kP5lB3BmOUdFTV",
        "dBB0Myc45J",
        "lk9ZAmGb8JR6PgbvjxaU",
        "get_AddressList",
        "n3IKstr8XHWqOcni314",
        "m9YW6CHKDwQdWvVjf3K",
        "jCvIvQIIhNlmSWLgrYA",
        "HPSSdK0Y1YQv7Luere",
        "GH5VnZmYDngujKblEEq",
        "/$y:z",
        "b|h6!",
        "qG7Wm;",
        "gnmex2avR0",
        "$+$D$",
        "e3haASVUpD5AdbOe54P",
        "KBfxU7d2wZvilZVOZ2e",
        "h7fOBwJ8sJ",
        "n3HYXkBPEOCAFYO68r",
        "ogmnSdqY68",
        "s3Q.N",
        "i0AklI96Wdu8doyeJm8",
        "xoDsHDsVC6Z5vMJ7ayS",
        "?p4=s",
        "ANrKLai5Bn914Z7iGUS",
        "EBv47LQrnj139F83PZB",
        "BetterRichTextBox1",
        "NOivxH7dAFX0q0JENNx",
        "xbkZkNtBjqs8j0fRpM",
        "(!JO<",
        "Xcf6+C@",
        "SocketException",
        "X3ureBGmCgJj7PjXhIlL",
        "sf7byCGeQLRE8AmJGYsr",
        "5AL@%U",
        "jPE;7z",
        "]_N3y{",
        "r9MW82038W8d1Bx61Nt",
        "u5fKM1zAAfHvUBRKdkh",
        "Activate",
        "6n3[Ma",
        "hlISIt5LiXG7jbpJppD",
        "dHdaRGfHQeYOP6IBXg2",
        "zIU0YXYVpk",
        "}tu$A",
        "FI8YfYNPqe",
        "OE3Rb8GTDyrhtc40a7p",
        "IYeekstSQbWyjWXGP7f",
        "FromBinary",
        "EQfsFUGYHtYFvDffwfvV",
        "RJ6cQHISTMZucwsqQl2",
        "method_29",
        "GTI3IlGeuQGX3RZEYXo0",
        "iqKPxTG36dvsUkta19NY",
        "Hgz&`_U",
        "0l$*uR",
        "\"e1Py",
        "Yq66b2pU3gCTAcICjIQ",
        "o5yCXhHgu2",
        "a??`k9?V",
        "BL2xHwJ3XsqAaf6I6j",
        "oRfI4Ah9B6ht1rwwwUN",
        "q0EqA7OJ2HkjtAVapg4",
        "PbYkgYGyIWEiNyATOQUj",
        "PKGh*",
        "@y>RE.'9",
        "md1MD4Q53E37y3AyuuD",
        "66Xi[",
        "HiddenTabControl2",
        "mY7/S",
        "SSG0ZpF58g",
        "vEqsodGxtjMKcoxBlNiA",
        "ImportCspBlob",
        "Y851YZBLiIiETHWBcxZ",
        "MfcfO-0",
        "NNH7EpGN3jVT4HAHBQxK",
        "set_CheckBoxes",
        "Q3JH5LUR7rjQSMx35ck",
        "JJlwE",
        "57,;U",
        "xGqFMhGZ9wkZlIivIUr1",
        "fUlA9yGiEQ6kKB89WLk",
        "XIhqqLihjk",
        "tk4LXBNaaCkKNLSaEme",
        "R5Zs2n2l9BHRKPGThYd",
        "MRTefZS3PFyw7TsFABs",
        "aYK@:",
        "pZL.hV",
        "RijndaelManaged",
        "r7KyqU3MJO",
        "nrU0#i",
        "set_ColorDepth",
        "GoNqemaA9Z",
        "KZB1XL6FsTbM5nUHnlb",
        "CheckBox1",
        "CommonDialog",
        "WISigKiaix",
        "OnControlRemoved",
        "VtYDBLGyXSjd3UmfqTIu",
        "lwV7m",
        "c8F9ToGGOloTWIygyvX0",
        "qZ5C0UPEXf",
        "B3Cs9BcppQF7VhxSqYk",
        "w8FAfeB3V7e8SW5U1gC",
        "fM$vq",
        "jHS0ceGElRPZma1lRPwZ",
        "set_DefaultConnectionLimit",
        "AqSIJfGfmlY9nF7DjIiU",
        "~LKG8",
        "py[ER",
        "QGW8cFQc67C6W0PYDwH",
        "dq4dN",
        "OhmVi4iDjODSkbxUMdB",
        "PsC01djt71",
        "V4kYwqGi9f86UTSr69p",
        "v2.0.50727",
        "CJmihNrp2FQ1AewvpxJ",
        "BlockCopy",
        "KUjOG2xG95",
        "uE5ibqtCvaB91ijMnFY",
        "toolStripMenuItem_3",
        "mtnqH&CW",
        "UploadFile",
        "zTZ7pighQakPjnGaxET",
        "KGqSuVVdEBy5BME1JYe",
        "CK00wyGKHr0qq1dvKvq",
        "a9BKJ6RqEsuonjLEjsm",
        "Pr9dAhnPPS",
        "set_Y",
        "aXQnwLGf7mQPBhNeDA9W",
        "VbArJUGIptGS5cbksirR",
        "dAQ9ra",
        "ags1JBfwGRW8DAGsUTH",
        "A6rYUMM79pIETIgF5wW",
        "Label6",
        "set_Item",
        "method_18",
        "x'I&PLT",
        "cTuqu4Bkp7",
        "B!KOW",
        "set_TileSize",
        "lVvdORG84YJQuahJF77Y",
        "CmaFB",
        "q,/8&",
        "QwA13iGwWgCs5OeOpaa1",
        "^-0x>",
        "<PrivateImplementationDetails>{F4B45B4B-739C-406C-A9CF-5A589EA4A5AC}",
        "get_Created",
        "f?&iR",
        "K8S0QDG3KNun7S35jtb1",
        "YGk8p4GLCgXlyvLt3WHH",
        "0O-;NS",
        "cEMCUNKl6E",
        "w@j.b",
        "o5rlR9aGwy",
        "4cb75+",
        "P6xJDNFOjL",
        "h9DOq4GPg6MthKkQc72B",
        "CommandType",
        "BxVqRfxijB",
        "lcm5EyHeKv",
        "t['--",
        "rHVl4IcfIc",
        ".1gNe",
        "r1weANbPrW",
        "f8LvCFxP5oRqBA74eb3",
        "; aM^f",
        "NoticeButton2",
        "PlaySync",
        "set_Expect100Continue",
        "tvZNAcReq0",
        "qkV.5Y",
        "cflohibby2OLBSUH4SP",
        "MMxBg4xkjF",
        "MySettings",
        "wM2h6fGV6M9bIx0nvZKZ",
        "Vgn7SFGEPtnoBUhd0ePZ",
        "u0eoT9S4UxIwXB4NMvu",
        "ListenerFailed",
        "vO7HOorCBOwJAGtt1Jk",
        "KFFTtclUJe",
        "TextImageRelation",
        "n!;6\\D6",
        "c02vR57QYwRboiyJMus",
        "set_CommandText",
        "P6fOgcGmABy4DiYV7Hks",
        "vrhV28dTQJJTI92nqeP",
        "HjSyJrIvpr",
        "s:h'L",
        "`.sdata",
        "P6soGwrQSp",
        "N6TQZXebbeqgSLFOxJ",
        "ComboBoxStyle",
        "EWUQr4cRLZ",
        "VTu19bdnu2",
        "\\FYmi3",
        "cldniMGR3QWf8jdxoLfn",
        "7EVc(",
        "B]H?9&",
        "FJmln",
        "ListViewItemSelectionChangedEventArgs",
        "M27L0l2pgQ5Jx7RDcWI",
        "CdKD5R93mQdkYF2TuG2",
        "QoXQQ010Up",
        "tOoSLbSd97",
        "MTxAb50QFA",
        "oAHGqpWXOlxAQGbuKbu",
        "jUKEnMaU1I4mM94Z9EV",
        "System.Reflection",
        "pk080C",
        "hZdn1g9E9C",
        "HwjktEFVAqq47TCJWqN",
        "Jxx55aGAf0q5xZjUkRtM",
        "mhtY7tGkXOB4rxnbuiJD",
        "aVkuvbZwTBjKN1dyC1R",
        "lkp5OKGC7xpESx3vg2P3",
        "nuZMBYGeM2dcS5j2ib7",
        "dQ~kX",
        "aI57fZGZb8dS9rUhhZ7a",
        "yu5QCtoHhf",
        "jalGmSNN7tKfyYqo5MH",
        "iBwmAg3iqNODHoRTex5",
        "Dh\\dC-",
        "iWRlvMlGoC",
        "yy9zn|0",
        "cadYn4ouSK",
        "bool_4",
        "chc045GVC88imF0P4lKb",
        "rj5\"(",
        "c3Pg4iGnNHWf5T1lhJep",
        "qB2LJDGlGf2FY4qWTWFx",
        "JWR0GtHJtg",
        "DqW5wYG4M6tpJBHIuUZX",
        "Int64",
        "K7cB3VoCJR8TrL9Tge3",
        "method_33",
        "add_Load",
        "get_ModuleName",
        "KrlifRx15QTiQOHin7l",
        "Dvqq[",
        "|A,/tM7",
        "oY0OxmnRPD",
        "N!}n^",
        "EhjcuOGldvG9WlPr5Y2O",
        "W5iaHuq5rpS0DATPjf5",
        "xsCggmWewG9CWItERFI",
        "cbaM6H4NecYRDEoVkn9",
        "e2ntT8GrL6SFSfSY1L5Z",
        "zbVADboqN7KTFCEySeu",
        "ReadUInt64",
        "S9{*x#8",
        "NotifyIcon",
        "object",
        "SlIfvZO73pIWyi5j6AI",
        "addedHandlerLockObject",
        "PgT5xBGZlQ0LBHHD8Pq2",
        "dtmNQ4nUZi1mWBAfMjP",
        "__StaticArrayInitTypeSize=18",
        "(rb_p",
        "PuliAjBefe6uHFl8cyS",
        "ox6403UJJ0GKJF08bPj",
        "zCqCTudjjyxolWpKU0o",
        "MB_`{",
        "[+BvO",
        "PUmCJbd3tF",
        "e2MpuiGL1ZC8vijpixaY",
        "_Lambda$__5",
        "WTdBK7mFHVpyAoG9OMe",
        "w4SshYLK7wFL1aP4Iy8",
        "Go6BSiqgOfSVoaSIVef",
        "K1xwadcXC0",
        "skNlMhGxmQ5Zpl9aTQ1X",
        "OopvR1p8M7LskVs8iGa",
        "/R%~2Ve",
        "AM:W:",
        "remove_TextChanged",
        "j3S3jsEQjVcUcd3GYe",
        "DOu1Q2jNn72GMeh9gMJ",
        "xlcj0NGMGowPJ6rbBmRC",
        "NI9akYGgzwyCHeMh5XbW",
        "RjFNmnEdsG",
        "EditorBrowsableAttribute",
        "ADOAx5bhFZcgmLdDFu6",
        "ytCgKcxkdj7QTdqUnCq",
        "NanoCore.exe",
        "GG0CBYGKO2ev9tVyvOCG",
        "y#t&>",
        "X7|bEm",
        "J44a79VCrk9DV3LiX6v",
        "rbP1KAc0199csHlW7Cj",
        "Q2xMaEGNI5tWjajfZek6",
        "j4BC0VG8gAXFo6u3LX8f",
        "ImageList4",
        "v9s5iAVaIgXbndm8NOR",
        "get_TotalSeconds",
        "xgCOjgKBrq7X4tiWvmr",
        "t1z'I",
        "VA1U6NGEBKwLOlR71cql",
        "x7paNDT3JU7y34NcZ8q",
        "Nyn6jv247nNKTUMfOgO",
        " Wekw",
        "aFp52YJyxj",
        "dWdBcpGXIcSUoiCKg3dw",
        "iJ6lsqScoqD9thENRWN",
        "|5$eKH",
        "FileDialog",
        "{GQ+TCg",
        "K,.3/",
        "I6bqffkrS6eaVDZGnrN",
        "oa8ATeHeUpf48PXHfjI",
        "aAkplacEuAPgQ7ym0ym",
        "yiNK0sKrMLCeSnGeBO4",
        "R0RYy6ZnXb",
        "zYWaUmHH67vipx39XhC",
        "cdTkwCRtahhFK07qwLE",
        "I(#85",
        "DUpZqj6iMSCOCN7MacK",
        "mZcljGGIgAeTTfC8wl4e",
        "long_2",
        "gcEWkWM21LUsxdl1p7l",
        "lAlCbW8swvhBv6Sinln",
        "get_ExecutablePath",
        "GxqxeVBgib",
        "Aeb\"H",
        "shnFBumiTMVY1U5kWJU",
        "JkYsSr0yQMAZNqE4nAQ",
        "dXD9Jdacj51Id56UMbS",
        "yH1G70jMxk2L34eby0",
        "arICHrGVFdXBguTb0GaM",
        "K8y8896ZKD9xWqTAcW",
        "cppVnl0eQBCqY3UbfIq",
        "toolStripSeparator_1",
        "Remove",
        "MPqvTBaOrn",
        "6?C!M",
        " v]h]l_R",
        "[$B^a",
        " LJ3\"9w",
        "FS6iPuGCLSkO6FZwAEB5",
        "XxMG8HGluL1YiFLv3hQW",
        "\"@tVt",
        "$$method0x6000007-1",
        "Kajy8Qtn3X",
        "3Ils\\",
        "nYmOd90Ep8",
        ">8HBk",
        "ExceptionData",
        "JTCrjl2Foi",
        "xTswY9G0IoFZdo4CO1x",
        "get_HasChildren",
        "apseY3cAWE",
        "TT4arHkaykFkk1bHvMa",
        "lt9TQDuPjp",
        "909w,L|",
        "MP6cSeGgqVQDOHOmXm6L",
        "FlD08LWWDdvNnNke6wn",
        "fVyM459hSShf3FnPl6D",
        "{SHH`",
        "UpVb4FX5OH",
        "u.!c}",
        "mE2TjnlMshNkDTcIrW4",
        "dc4ddwGf85eK0DcQfCEr",
        "ArgumentException",
        "4G)0U",
        "_D0a~",
        "oI462XjJRf",
        "FHMVXNkqVFaLU6HCRbb",
        "8D}!n",
        "Ww&h/",
        "pT25yrCNYK",
        "o) yG",
        "(kc-C",
        "566L=w",
        "RXEiaCRo9v2YtfxnWcR",
        "XVJ{<",
        "FPkXXEmuxvT6DKVyP1I",
        "RemoveActiveNotification",
        "NShk5YO6KyQh3GZYM01",
        "6x[zh",
        "Le+ym",
        "float_1",
        "ImageList1",
        "n3deUsYoYn02WiFELFW",
        "BindingFlags",
        "tU>H~r",
        "ColorMatrix",
        "WSnyFRGhE6fBy7MUoPuJ",
        "a26UZwYs3eXRg0m31K8",
        "G'kAd",
        "UAih&",
        "AnchorStyles",
        "AV8OmhjRNXUAPq3B0pZ",
        "LfC) ",
        "KeyEventHandler",
        "3x)P}",
        "HxEHHhm0tsxZdelOsOw",
        "yfLELMOKXDK9n0h13pI",
        "LinkLabel1",
        "zsD8ZBGK1FwbNMuy3gCv",
        "eA0TBan8ad",
        "s9q45VGyky2ChRq4q2xK",
        "ThemeChanged",
        "(@.Ljw",
        "tpFDH3GrwOxCOSrbFZ0C",
        "+2UuM",
        "GXf0DWSPZhngSguaVcJ",
        "E4fSuK2nBg",
        "int_3",
        "WaitCallback",
        "Int16",
        "xQptXtWRWy62ANaA9Tp",
        "VYkNYCy9mM",
        "Label21",
        "set_AutoSizeMode",
        "mHYMGgTtlm76mW0BWb",
        "qbr3rjGryFccw8Fv3TaY",
        "MqH>+{",
        "Yofo5ZG1W0M69S2X2MR",
        "]w1j_*",
        "DCoWayvXW8Mh7XQrAsg",
        "|YwK.",
        "I\"^[Bg~S/",
        "BWC3UsGwWj4Tk1ribmy",
        "jDW18XT0Uw",
        "KegmbxIe4fwag7EQuxJ",
        "'~wNr9",
        "7R^0Hr",
        "SHWSqUJp5G",
        "Dictionary`2",
        "xt}HU",
        "Uto'8",
        "3~I0@",
        "set_NameText",
        "ybblGxtqQI",
        "/}VYD",
        "AddWidgetEntry",
        "ok3H ",
        "yNNdHf2E0GpB9PQtOQ3",
        "elQ9VDGmwwcSgJedVMhV",
        "dVhBsqg6sGHX7QiZNhj",
        "get_Keys",
        "DoDragDrop",
        "cxJLZVGYb97tjHafVTN1",
        "MeyNNMdpFU",
        "eHnett7rZg",
        "WCCNajGVnFgExtV20dvd",
        "Q8\\rsf",
        "raHD59PRWk",
        "JNWPEBGgENqZN8G72DxP",
        "sYVcABGXh3SinMRwO98Y",
        ";,G9K",
        "TSwhUGGAMe6nPhWjHPmm",
        "ProcessWindowStyle",
        "columnEntry_0",
        "ygw3u",
        "FUH3HQ",
        "9[Wb8w",
        "GDelegate27",
        "N'X_$xv",
        "StringEnumerator",
        "zxC5Bbk6kaBMs4tZ9IV",
        "G5NYBUGI73TvruqN8pZv",
        "MgTGsZ449w1e1ODuMrO",
        "NG_>>",
        "RioOffenbx",
        "+yI=z",
        "set_Location",
        "zbXqP0WsVKmNCeaMFhj",
        "CallingConvention",
        "~kv;v",
        "timer_1",
        "ujVcUcKu0",
        "GControl7",
        "QDmexF8t1qQp7ArmCO0",
        "wnhwLL5jeFnRMbGPQG",
        "ID>%+",
        "a30HUR0rLYxHRKtp2kO",
        "RotatingLogoControl1",
        "TPKZodH6jBcrfeJtVcs",
        "O\\!4i",
        "qq5ctOWGTDe4PajSlg",
        ":upe5",
        "vGeJKclduJ",
        "Iliv6m6nsR",
        "emoRt",
        "ToCharArray",
        "42,Gp!",
        "GClass1",
        "ufZUVvtl7crM1cGHvIo",
        "HJyD7YgFZAb7R6hhh9B",
        "Gtd1Xm6ZOva1ncBYu84",
        "X5cZPmGfI3NLA2fxEy6l",
        "EjoyW3rvMD",
        "get_InnerException",
        "OnOpening",
        "ZQm[FY",
        "JTAHAUnQfs8X1tdkfZy",
        "xm5wVPXGVf",
        "NumericUpDown",
        "NX16s4Pf8e",
        "Marshal",
        "znyxRB1SN3ZFaCYbqE5",
        "CVWBvJMP57S7Ts5ArBo",
        "gvo43JGEumnP0clqqZcd",
        "N7Ay8oGKeFyGD7HRxB87",
        "$m1KK",
        "vkivmCGKdGIAcYMSA6QX",
        ",MG~X",
        "MqDDf0fzPa4cVee3Hc7",
        "method_12",
        "jbnXwYGfhXl2b6QpCeLH",
        "aJrCX77qUtrhkNLXJUc",
        "KruNgvQdXe",
        "ToBitmap",
        "EvcLqggb6Q4dg00hh92",
        "hCq1WVpDvqTieSOlFoJ",
        "IXqmVB2bODyoyAItlTu",
        "RZGbVg9WYWh6ZAFbSCf",
        "      <supportedOS Id=\"{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}\"></supportedOS>",
        "y~KH}p",
        "VHG E",
        "add_KeyDown",
        "KeUMpUMaWZu9G7LXFGD",
        "BN$>J ",
        "StringReader",
        "\\!n :",
        "q0LO7",
        "u8mN<",
        "nQZOUEFNYg",
        "~Eeelm",
        "!H-9_",
        "smethod_0",
        "CCp6TUK7Tsn2j0phqOq",
        "lcSvpx3shGpZVd33aoB",
        "LTxbcK9y5iSLv2GHjwL",
        "lO{{`",
        "xcMe`9",
        "6}r.u]",
        "LRp1S2dXA9",
        "xDIGM8GLvVqsj2hJ74G0",
        "MhFUcyAYQV18mVNRcdB",
        "Vf4TMnGMJEeGSsuD9Ux7",
        "0+k7_s",
        "n7Xp(",
        "get_DesignMode",
        "YMLiJS90V9",
        "c4wBkBGbfqpLBlbmfW9h",
        "oTjZdQG83gTDMnjkVLGK",
        "gEilEiVhRnZBtvIJFh2",
        "uXUHC6pgGstxx2tlBEF",
        "dI44BHGhP3bQnUQ8Q2Ud",
        "TIWyTLGYCM4kfm5fMUdF",
        "ldvi61G31sTBgZy1oXu1",
        "MRo7lZ4W83dtgCmQrH",
        "O?MHO",
        "skm1lqrQdl",
        "lQDbrUQvBWMrfeFe2Io",
        "Iii13mkLvv",
        "WjB97c",
        "yHPFV",
        "pictureBox_2",
        "xvpD7IrFOn",
        "CheckForSyncLockOnValueType",
        "SROHQEVxCZ9LGPptPp6",
        "U8C3Z9m8glLEKD9bDlU",
        "set_Cancel",
        "Qr9QoEnViW",
        "ThreadExceptionEventArgs",
        "ddPTkSYXbSTH4vZSRI3",
        "[Ykje4",
        "rY0wxnGY7AN0Gwq5W2Pq",
        "Ad:'k",
        "$M(_ oh3",
        "DrYp1xeKTdcicNJZFi",
        "RmoUtUJXdp5jJOBm3pG",
        "a8POKvLDSS",
        "F2bFtXGIMZrJ6IYwxgTC",
        "pA465PWui11n8NqegPS",
        "Z,kre#",
        "r#hz?",
        "Ss6LvmE7q51jeo7H66L",
        "zgkERJG8kqGsSnyy12uU",
        "r45bDtlMql",
        "(gfT*(",
        "PuJGK5EcJ8ygTH0EVJO",
        "tXWNSdECCXZMMB52PxO",
        "nIl%XLP0",
        "Vim3Gmb5gxPo2uFna31",
        "lAegQHtPoZw2bAE9QMR",
        "WWAKiQGb7H52qjVnHFr5",
        "NanoCore.ServerPluginHost",
        "^BaHm",
        "W0-2P",
        "irGCXyRpGPamasBqQdP",
        "dV2PWpGwNjeZKBKFimIY",
        "QS6e2vs87B",
        "HUvTwGfbkG",
        "r 9y0",
        "h%yl|",
        "eicNlhcBfH",
        "dmIcETguq8nWOTMhamy",
        "(S\"CCv",
        "qFS9OCdbJniUj3L4kdb",
        "vaA5w5F6V5IL9X8DX6j",
        "get_Bottom",
        "qRoDv0GCTCTfSs7kPg1F",
        "{LwY*:",
        "ToolStripDropDownClosingEventHandler",
        "OHLoCnfX6J",
        "Cw8DbI7qyn",
        "AUSInl5cZisTqonlPlJ",
        "FromBase64String",
        "vsiNsZxL9mUlM82CNOn",
        "GDelegate23",
        "get_Method",
        "Qau0iCZclp",
        "StateMask",
        "scLyfkffw6",
        "IxgFZYyiG43Ldf1KDvL",
        "e37s1vkhjpy9OQTRfjT",
        "Hjrpwcs5V0VpjNR3QaW",
        "@gHT#",
        "N140nKiqxE",
        "h+/st8",
        "            compatibility then delete the requestedExecutionLevel node.",
        "get_Day",
        "Fm9vCeGwvUo3QadEdqTg",
        "N3mQnpGlnOyvwd3yFo7o",
        "Ati061sycy",
        "fx1j!",
        "vrshavJ7fqmZ7kJlVn",
        "\" ZJO",
        "vWxcCh4tSIZYfJmNGFg",
        "nub1W97767wuT9CYcbl",
        "!2xAW",
        "apJjbxG8S6v0lq4FlwAi",
        "YF#p#",
        "ServicePointManager",
        "fsRVwHiwiJcMwCeiTtu",
        "VF8BZR5Xp",
        "Y75DE21d4Y",
        "NBPppGn7wePv0o2cNoc",
        "JVfofmbAcX",
        "tEkv8AUg2f",
        "Eqrb2MYuOq4437Qur6w",
        "QPrESQnPVMvWWWWGcf3",
        "tBhrP3taNblPKMqu8Q5",
        "LBfrd4G8L5vZroME71Vn",
        "_Lambda$__88",
        "columnName",
        "A4215vVs1T",
        "ExceptionHash",
        "l3knAPi8hH",
        "zXDV6r1KMtH0c9laGBh",
        "hnRDJalJvd",
        "a.H>k",
        "X3effkWd1Wuv4j8W2f",
        "E:~`5",
        "pM<cK",
        "FAJoCoG6lfSb6TFMpXA",
        "Combine",
        "B+8S|8",
        "znjheEGl4XGdABQ01E4Z",
        "R:h_cz@p",
        "Z6`rD",
        "Create__Instance__",
        "$BD39D1D2-BA2F-486A-89B0-B4B0CB466891",
        "xWgTK6cVYSG2ii9HmF2",
        "6\"B/qq",
        "dwVqvgGlmQosQP8yhM09",
        "MGr0RjPGO7DGVGx9scQ",
        "xBb7x7eAHiZA6uwm3QU",
        "VO1QqENrXQ",
        "crOwl6GMYcY9nrDgoZ8j",
        "hhP9MWLvqB2lb66h9ZU",
        "DvMbGZgad46TSqJIL6",
        "7:3>%",
        "oQNInmQxLqCigcU7TH0",
        "set_AutoScroll",
        "Vn8OtHGrGfeA2Wh4Iqc7",
        "mLl9LPxdP85VooptG4P",
        "d1OVx23gjf8LlcbL4vL",
        "vo`sD\"",
        "uRms2jofoCxO0cVtdAF",
        "aibo9i6CEu",
        "q+x/+",
        "}YR[&W",
        "LXgN6KexYi",
        "rEn0FtSxGJ",
        "OnHandleCreated",
        "DVNGkFGn1U0mWuIQM5jW",
        "R4oY6q700Y",
        "T3I5slWyLA",
        "kIX5e5GyJB0uC5HupXR7",
        "FTg8RADoQCDuKp5ngmG",
        "SL~AT",
        "ImageList",
        "l7}{q",
        "xJxgpXGGtVgr2H0tugrn",
        "hNnPsZGl8P8TB8k1k9LF",
        "_Lambda$__60",
        "ayaYAtKl3I",
        "CipherMode",
        "v]6c ?",
        "aoPQD9zxstPftRBKdcF",
        "iasyncResult_0",
        "nkmFQ3dEJndZ2l2WADc",
        "XEPIucO5ose3iQTVxlw",
        "etmk38WvJ7IqhtFUiWo",
        "GUnA64GNwUQY5DXL0n91",
        "cHk5RucNkOZDNqgynjW",
        "SrEiRCGg9qs3xYErHBmu",
        "_Lambda$__73",
        "SocketError",
        "GfZAy6GgRUlaYfDJ7fPd",
        "5nz1?ZP",
        "wATnqqyar",
        "IServerDataHost",
        "ayMiaiDnnUVRo7vBdjh",
        "iEy7)",
        "xlZl5BNhIM",
        "HYmXt56PY93Jwimngib",
        "ErjI0sfMr3bRZhKTRgE",
        "vjTMwZRbdwxRo8GuMZ9",
        "YX56\"",
        "7F0h.k",
        "i9hQVdlqpQ3Ge4HaRLj",
        "xx0HJ9GXbeVpiyjBiuJ7",
        "O2yxj867nOVEfs5rfYN",
        "3hWt/NL",
        "qoAOG1yUn7U5gttXdVw",
        "7JRs?f",
        "w;8kn3^",
        "[^n''K39b",
        "C6ebff8D9C",
        "pK5CxCxSpX",
        "^I>!wfMTH",
        "JPWWqLGLVeP9eK0EqiMM",
        "~\"B\"{",
        "sxAd9",
        "whVhK1GC24VAQtAXXciC",
        "fHidSAfZQm",
        "fbLJJQWNPHwh6VBlW5x",
        "fs7R4YGY39VHeBdeGRbL",
        "oGfIIcGfK4dAXHDYQOHq",
        "#Blob",
        "ImrbhubNT0",
        "Ap9eDoG441kx948YdncM",
        "kOvWod8mPX9Uo5sys0T",
        "JvqIid4MaNvn3ALQdEQ",
        "Fq76yH5WAUvfFLZCDvB",
        "chtsOuGAEG0Egylfw81G",
        "Z0Xmzj}",
        "~X*xU",
        "kOafMB85f4dYicKyKq",
        "aCyQUk6qNl",
        "get_ClientRectangle",
        "vVX6nudLuvTTsCiVcRx",
        "UnmanagedFunctionPointerAttribute",
        "dT5&(8",
        "get_IsDisposed",
        "kayAdblwm0",
        "NoThb87o4w",
        "uKx6SbCSJo",
        "SBbjlh7OQm",
        "kgwM9xS76ITIt6R5sxc",
        "G8xeZ6ybyUWRNTlkVX1",
        "IWQ6HwtmcyGKfNygEOm",
        "K*@\\h",
        "gS3SNY8yF2",
        "pA3jQTTUCXDss1f7Fbl",
        "Qilg_",
        "GFQwC3lsr0diJhlIL54",
        "cmBD!",
        "SKUS02llou",
        "mIXDRDqZR",
        "z;GD<",
        "Nfu0B1ZUHe975tVixcS",
        "VPBdzJ1jVh",
        "int_15",
        "Rn6XotTmHltWxrKfi1k",
        "ScUeCBGCmCf87IJsGgwx",
        "w`\\a)",
        "GDelegate20",
        "EndInvoke",
        ">Ct?X",
        "q89KkLa6v5lxnZNGdeJ",
        "mgRJ28GltpulH2U3Ctv3",
        "H>zNy#J%",
        "Clone",
        "E4GJyFo3Y6avtjD0Ff5",
        "Dr566MB8oI7i8AbtaHd",
        "vSm8wYTR0",
        "Label19",
        "</G|G",
        "NotificationBuilderSettings",
        "IsLoopback",
        "MrrYjivFl3",
        "KITAfGLlSF",
        "hFCMQ7zf1F1kQU8QAUN",
        "k(A]W",
        "  <!-- Enable themes for Windows common controls and dialogs (Windows XP and later) -->",
        "'W8KS",
        "set_SaveMySettingsOnExit",
        "EphREvGmL7ArNjOq5KSN",
        "RwUYoNGZO9dbXPMOCvWL",
        "`EKmf",
        "xyQ7fZGdS4frCocJK8X",
        "Y5Vlwke6SK",
        "TF8pXNFsk3QO0poH66",
        "YT8Ho6NWbYkVqQvo2B",
        "4H8t#y\"o",
        "uPNBPLygb6dCSFFnNqs",
        "mACbsTGysG9vFTgsPJcr",
        "sv0XFUD6tPMx3sJ1AKy",
        "JKFDrGT6A5",
        "MPHNqVQvZT",
        "q4gS-",
        "0r><[",
        "l6hUkxX46pv5i7q56TM",
        "^$jmP7\\",
        "kB8R$",
        "T32mUXFn2",
        "D$O9q",
        "![]2&",
        "?s&oug",
        "EE0lYOvUhTlWht2ThnD",
        "9n\\A:",
        "P,Kl7",
        "mM3VXbGGn6cDi325hcsY",
        "4GqT+",
        "~% T4",
        "_Lambda$__85",
        "BP9yGWGGLDvCW9bZBCcy",
        "AQdQAi4dNcyTWvfOJR7",
        "iserverData_0",
        ";pwiD",
        "get_Position",
        "pm7qjQGF9NUYk0OJ6LX",
        "oBkYTqe5u7",
        "ySqgJSL7GKW6jusG0Oa",
        "lE#_G",
        "HNTg25GhAoRPmnMjfYEJ",
        "Xu8hq6Z2jYxvCens28v",
        "OjJnkuGGjDUxAslia2E2",
        "I{Qyj",
        "HOP3kFF5cnLoAPJDCyQ",
        "bool_5",
        "NkdladrFp3RTmj8B1f7",
        "BCU7P8GhfwO8ZoRu1HJQ",
        "kVSEotGy4w4k5FQPDOom",
        "nD9Ctrp2rN",
        "[q@an",
        "M&V }G",
        "V!`Fv",
        "hM }_",
        "\"]B|P",
        "CheckBox",
        "11l7)N-",
        "@1U>Jm+",
        "Ou2Ww5SeLfUKFJaX1kj",
        "TCAa2iGnAS9MyDqk7n9Z",
        "`.:.u",
        "QR2S3oP8eM5TqHqB8ir",
        "k02jlRzuWuYlGGeMitk",
        "f=:%f",
        "SelectedIndexCollection",
        "RfcCkiGCRoaWVCQIE288",
        "wr7TOlYE3a",
        "2c@{+",
        "get_Connections",
        "QqewktBsGS7ZRwYCmnn",
        "mt4CvLt0RMLEsy306rQ",
        "MpPOM",
        "87ne-|",
        "tCe7bhGr0c16oD4skHO6",
        "ViafSt9ldA",
        "4lr&8",
        "Pb3=d",
        "UkW0h6L5fvW3HCinN6l",
        "AQ.|m",
        "eYpPpWGDqPyGWy3Irxy",
        "SZIE81VFdql373h28B7",
        "@dA-@",
        "U4%BN|",
        "I1MIkaQuysyR8EFosfR",
        "z!V80",
        "zTiMFr5X2qp46hrx1iG",
        "sEstrtGKuy1nNwKd2bBd",
        "gdelegate27_1",
        "Edn1dpEvbjmhfbJmRw6",
        "iLjY82Z3R4OYtnRoevW",
        "add_ItemChecked",
        "GtDFw",
        "GxJD8nWy4MXfpZVVpSG",
        "oHkUbFGADlCwAEl98Jp1",
        "WekfR",
        "jqd671pRt6ymK7ikg4P",
        "UKQAI4jPcy",
        "S5c6UDZLmcdPPS9mCbo",
        "lL1DDpGbK92WmqI7L1DZ",
        "IWmlV3UuBG",
        "_Lambda$__16",
        "DRbnBCrI7u",
        ">`%3q",
        "v2dQL2fw3V",
        "k2kJb6vki7ypg7TkuKH",
        "tHWY1u9It7D69W8pd1t",
        "YNXo3nG5FYShA4EpUYJ",
        "EnHIjA3ojI7XCCTHhPV",
        "Uhh5mTXpXw",
        "FJ9VnrNE6UMnYsVFXb4",
        "x8bA61MHGZ1gxcBFucb",
        "AKJGZgXdoGugnhTKru7",
        "QqWXasGbjDkGisgm9hxR",
        "wpY7oVTneM2HTaX2fPP",
        "hy%57",
        "dZXPo9ma8TNnU3W7auW",
        "ow86f4rA4m",
        "mN6IsnGjoueL0FkEkeg",
        "ReadByte",
        "gYh6rNGe1p0qUnMFLsYT",
        "xIZAB6HoJt",
        "yBv12lfblGTb4AgR1v8",
        "gkFnby0GlYnl6PJqt1d",
        "&iFsT",
        "CT&bw=",
        "DRYTk1oAD7Ue68yi8Fs",
        "^SCjP",
        "i|'z\"",
        "nTh*G",
        "^n/Xa",
        "'2#1(",
        "AddLines",
        "JvTVupYOf33uHDO7F6O",
        "xVHxEmeJd0",
        "vu3e1dWlmqH61wtp4dd",
        "NUIs9haJVuIOYiDKGmX",
        "m6cDilGZaJqSoiib7rb1",
        "hucxM1NoIO",
        "\\z\"lQ",
        "SWMb6boZTY",
        "set_IV",
        "dh0RnLGbmpq3cNMxrTMT",
        "set_CategoryName",
        "T5MVu5Gr2m8OvVtkbllf",
        "3d2e63ea-22f5-47ef-8205-1ca77ef2fe6e",
        "T(N]Wr",
        "m65cfsGEH4EMptnLD166",
        "hv6!A",
        "d2EQ729NiVCPCvjR8Pi",
        "pTK5JKZ87q",
        "NXU5YcWhokZZyrk6Awj",
        "z8qE2NGXiXjc67sK6axm",
        "{GJoI",
        "eNmRNgOaa5",
        "Je+I#",
        "I~E5]",
        "Mh4jsdyXGdVlOnEme0u",
        ")Ce6'",
        "fRyrqyoTxyk3NNBReAV",
        "k02.e",
        "c3K+p",
        "aKrTmxGyWUoSJYlSyPyT",
        "e5BAC1965n",
        "nGDMw3dQn5yFDUOhWOb",
        "s5Q5|",
        "mfktxl4ynmiljBE7yQq",
        "op_Equality",
        "TopRight",
        "oae{4",
        "LSV7bCG8e4g2OaX7QaNK",
        "d7fRRVDfoeYiNky1vwJ",
        "T\"\\@@$+",
        "H9uVSOAAWf9up1cCd3c",
        "BN1JTgDadZlwwZrobnF",
        "VMu/;",
        "\"9c>WR",
        "w8aUTi7wTDdFkXMoXe0",
        "mBgF8txYqk5FvjVLJDW",
        "RMEuiCRkA6xrA7hL3pL",
        "Ha'^7yf",
        "eaqy4Mq8Ur",
        "aGpJivv3eFOsNN11KrT",
        "HCX1FZNXxROC3ayV45m",
        "GQ8LWUwVBsJ4krhCyPT",
        "B53twIkOpWspofGXcAB",
        "L4DtXvS5djeVjUapacp",
        "WdWan3wiMxbcYAR2idF",
        "byte_4",
        "hvhDIalByg",
        "BTXIA04XgXDK6gumDRZ",
        "87e7Ast0",
        "          publicKeyToken=\"6595b64144ccf1df\"",
        "get_UTF8",
        "R3GeTUnAfph7xQ2Wjx",
        "ResolveMethod",
        "lnaLPTcuUiyaiklSRMm",
        "RakTs48QXyytA33x3Ix",
        "GetHostEntry",
        "olaP|",
        "o:u6`",
        "o3Q3NaG4AXKST4Ql1QeA",
        "TZAPmndFvSj8cIa1Hq5",
        "eBO87P3nQnehE3TpIDX",
        "long_0",
        "|lV,1",
        "tciLnDobHjAxbLseaL.nsYexfrawa3IjKj96p",
        "Cwm|ab",
        "J>9)<",
        "GpxEMU7JqhOh5y0h1Oy",
        "v<|h\\",
        "0OQ|h",
        "-)c/|",
        "py56tR6pSy",
        "YvcyvI8Nw5QGwUvMim",
        "h0VvOSVvrO",
        "awM7WgGYDZkLtvm1x6WL",
        "P54qZs7IAI8GwU5HS64",
        "++}2j",
        "gJ1OeCeGZ8Vn2RislTg",
        "NcjLk5GrCSbJsfcBiLaQ",
        "pWfHNbGE03RctsNjL61j",
        "TabEntry",
        "_Lambda$__27",
        "MNdCs6mIyQ2k6ujyJ4N",
        "NumericUpDown10",
        "mz@4!",
        "<6%c;",
        "K5N9Zg9abwwfYTM7Clj",
        "TUnioXZtkLWsWGDQeyS",
        "Start",
        "HLkUo199jkoPRDHJMrU",
        "yG+NA",
        "GByyADHTElAio2Qp5Gf",
        "JH8vlgBmFA03nS4QKZ4",
        "'kY_iS#2@",
        "JC1jqTJQeH",
        "System.Drawing.Drawing2D",
        "pvP88dLITIs2lGyc8FR",
        "ySH.0",
        "          type=\"win32\"",
        "fBeWcbQG3lVLlIxCwjx",
        "QKf7U1HVl30eEh060ac",
        "XleGQaGeIsuBvbD5iBOv",
        "BVnX2XgN97primOh0pc",
        "set_Size",
        "HibSTqGYYacG8HOrKEL3",
        "System.Net.Sockets",
        "xqy6YfjQkF",
        "'L-x\"=-.",
        "JcKyJ6G8fj7HPSuqkjdd",
        "hFIf4bPps5k2mYifT7",
        "GSNrXJY1fs4eFwyZlM",
        "KPgEEFXlUQbC2EQCRwC",
        "ueI1d7GAFVVmSjCX1Aut",
        "FtIoMsGC17silmj1A0E3",
        "DesignerGeneratedAttribute",
        "gD*i'",
        "Aui6FgcPUe",
        "lQIu3C8aa4jPjG2gZmW",
        "smGjboOstOjJ8NmXQoI",
        "jXjSWPHpaopiGE0kQUG",
        "fO7x3wGKIeTUDa2AKcIT",
        "znymVc",
        "XJZhgvghbq",
        "nPgQNsGGgFnMlANtm1a5",
        "vmVw66hswi",
        "kDctMqGPucNijsgpkuOr",
        "AutoSizeMode",
        "yMkJo9l7w4",
        "kQbolpbX9W",
        "kffpeU",
        "tfJw6xqZ7Y40l4yMNBw",
        "lx8x8gGEv2isgHefD85M",
        "FmWXTeFskusKehRmT6",
        "X)f`-E",
        "Q334P2Ei32Cy3kOvnkQ",
        "7#S4Le",
        "color_0",
        "Decrement",
        "set_InterpolationColors",
        "g1vRntq6R99rXIpx2ai",
        "Pxv'M",
        "rDAYYeGMWWdP573NmUNK",
        "usYxFMdWT4",
        "PFuSH3GrDr8dnQ1q7Q5L",
        "4.0.0.0",
        "kaR>q",
        "KClxVkbe91",
        "p1sCdL5gR0TiSCRixcP",
        "DaLYnuR8O",
        "yh9sDwjZXUniG4ffqPk",
        "?#42?*5",
        "kc1B8IzyMESL8UGLsTB",
        "XXLT4PvJhqCGNXxXRlG",
        "Jj5NQq5rv5d4guldfc8",
        "WUso8S1BxneGODANr56",
        "ur4ZXFUgODYZSZU2JHM",
        "JH2gwjKGMCCoi3SLaKF",
        "gPaveHccTl",
        "miaGprxlTQUNHGjSLyD",
        "ja0eFiYEYBqsCC34kJt",
        "ysxVf",
        "EHuoOCGmcQgin0hGGhjh",
        "s6Ggy2pGEDISe7SVA3",
        "Impw1aGYoqUZgKkpNdcG",
        "nSQsC0wkYosA4u9yTTJ",
        "d12hktdAWQ",
        "uDQRiRDyDn",
        "[Pz~9",
        "WqCC58BYxH",
        "_Lambda$__49",
        "G57ktKGNvIToO0I4hfkl",
        "user32.dll",
        "cucVogGfea6ebKEnAH5J",
        "UbpX8bGAbYVonegxq9Yl",
        "$=/Z?1",
        "vmethod_0",
        "lOmr70GxrXu8qlFfHne",
        "FZJv5PCZlX",
        "?)kg ",
        "gdelegate18_1",
        "wLxpoeGAtW8qw4aGVu9",
        "IWBWvMghlXQQrt236b",
        "qQgxPNZOYeEng8KTNQh",
        "LAZaR0GZ40RsUTLbfeme",
        "Button6",
        "1MV~I}r",
        "]voelY",
        "E1Y[8",
        "DHL6VkMCiLC1dI4vJPE",
        "wcFMu7Gnj1XnXh1e2NWZ",
        "mGvTy0ADQfI4s1EGju3",
        "ntmeMAJTx0ZbVfWAp1B",
        "Direction",
        "oEv4Z",
        "DnsBuilderSettings",
        "TdxROl3l6F",
        "HiddenTabControl1",
        "TreeView",
        "WCmOMatU9V",
        "XYSdCboy9UAEXYNIxvi",
        "get_TotalMinutes",
        "yoXbYJDKAJ",
        "TCW_R",
        "intptr_0",
        "M4daRA",
        "ToBoolean",
        "encx0x9CiN",
        "26I})",
        "get_MenuBorder",
        "apgq8loSAN5Nn0GYZuF",
        "^ibT=",
        "qxNuStKX6abfNBmWwIZ",
        "DEcGPtAu8Lkbi7gN2tH",
        "GSUbR4vlV3",
        "sMpnbl0bhgBAtAUOg9O",
        "ooswt1tHKt",
        "FU2qtSGmrM1C3O0Ck3Gh",
        "gdIP\\",
        "Ylw90OGyqtyxmrmq4j7Y",
        "cPHCKZSGd5PlQoaDSPD",
        "Y$?-qSzyib",
        "QYTOF5HGMl",
        "ikT0rJocXp",
        "gr2SUAWni0",
        "mPwtNkOMyu8s3davR1",
        "Fy4Ne9GPKN6qDiSnpI5K",
        "QG,KRL",
        "WHd9HIGrOxxbOOfM9faa",
        "LZeWP",
        "Mpvb8bLysh67KBeLx2n",
        "aIxdO4RgdN",
        "w+w;l",
        "8T9xC'",
        "nm5dgiq2pZ",
        "yQtnfQuI0rM0SNDBaO5",
        "'qX@t",
        "wmHUEjwN1UBpYmPrBxT",
        "Label7",
        "y[q[}",
        "UZdGg9jLsNip7YXGI2d",
        "jKSq3gfGUOrBHs5pYaV",
        "InternalName",
        "AWxyhAuFPRsyjcS7JCZ",
        "/A!z5E;",
        "4fJHa",
        "Y_eU%5",
        "NameForm",
        "DEAXGRdSt54mYU2Wrfc",
        "nT7vleEItq",
        "rx8qQLGPkUio0pslyN1J",
        "kJxkSeQ4qSA49H7nDjL",
        "whmmypNPeBlmLJ9wY0f",
        "set_KeyPreview",
        "HPm5hLGAx24E4GuGpB7V",
        "EQwS0VDsKTBdJHeFokl",
        "wVh5G6gSrP",
        "LHu0,",
        "5@i<0",
        "Xd[~a",
        "@?9<z",
        "IPHostEntry",
        "nzI`2",
        "rehkDjGmy4hVSfbvJKjt",
        "rTB)=!",
        "l~C2=",
        "f066AgE9Ub4Har4VuKc",
        "weyD1LPdhuOZBy367ya",
        "label_3",
        "|9;!VS",
        "C4PDx7VlRg",
        "N1xdTwFOvY",
        "S0>OHKs@",
        "bfV*p",
        "wfMmlAaP3BJOvm7ybGO",
        "lv5khgGf6CtdicKCLLvd",
        "KGRoRTSluUrwC4kYm1N",
        "~U.tx",
        "Cj3JSYO1RoWpge3RFJC",
        "\"gj*x$",
        "coRieUYq5EEZteUn4VA",
        "uoJz(",
        "IPYkvKIX13Rh2vwyLJs",
        ":IEUF{",
        "?E*.G",
        "zPs0Vjblq8NZpju9ZJq",
        "NBdRIskbOCeaxK6Pgq",
        "vVOJmJLGCuBu6yQ93mV",
        "SetBuffer",
        "get_Height",
        "z&G.ZG*W",
        "TOnTWGu9rk",
        "(L1+\\j",
        "YZEYNcUU3X",
        "TdfktsMROHaslSIFulN",
        "j98wj68xMd",
        "TabPage1",
        "aBqnWfruyKCb1AMIm6y",
        "eQHt4JGbTWcvAeBWUxxI",
        "OnDeselecting",
        "m9P+3",
        "mFZbVdGYfCOJAX6jG1mV",
        "fileTransferStatus_0",
        "TporeIDwUVWPiqJdtxr",
        "method_32",
        "Tt5qAiGmupEexf5MkgoM",
        "j034DA3vmdlZpDMD4Ok",
        "ljW8CiGNrXe49tYdeGmP",
        "Uv8J42xe6M",
        "WnAj7GtxdK6ZfwgpFYj",
        "oUHxiv3IlWkRrpl6fuT",
        "tB2JAxGj8r",
        "N2xNz",
        "Ec'&g",
        "52GW(",
        "XmlNode",
        "WWjHubWD5g2XSgysg6n",
        "YO39J2TMoxWZ3k6cBlL",
        "8&_E;",
        "GetField",
        "mZ2mdq04ho4JHaN7kgi",
        "stj34HGIw7tJOUn0U8rv",
        "pKle8QVp5S",
        "qNJDR5GV1yR2nh4FPlaZ",
        "eASASlwowh",
        "Aga5iYApc3",
        "jXVkaLvHc7d6pG5PkpK",
        "r}_|b",
        "q6jegIMW9A1eoSNOAFK",
        "xpHoEqtuy6",
        "RSbmyosCgabirK8rob1",
        "tWOnGa036K",
        "cWUVIadv0pbaayhDOrn",
        "$uqf?M",
        "MvieQ5J",
        "            Specifying requestedExecutionLevel node will disable file and registry virtualization.",
        "TZMe7R",
        "T5oNRfuJtV",
        ";Z.1t",
        "o/MYAyq",
        "Variables",
        "EyIwYxLmsU",
        "MyMOrOck2PHXcIcgdSy",
        "xkEJVT0XcL6Phcq3CTE",
        "5?{iq",
        "cQm5vXhGLb",
        "r8XUw0fNDpeyejSJpay",
        "M2eHMRGlLLvVdkuOWvca",
        "I1inyityPe",
        "RdO42rickklOvOq2GOc",
        "SendMessage_2",
        "Kq4`.h",
        "ybkCfYZ0P0BdkkG2kpr",
        "CreateDelegate",
        "`EZNDJ",
        "JUGsseGfdUVKco74S8aS",
        "MBblB0lhKm",
        "FHETdpGxpcWblVT9boJD",
        "obO1Cj0FNeOyhR9ATx5",
        "Nf@nGq",
        "\\Cnkaf0m",
        "6+R6EX",
        "SslPolicyErrors",
        "zqV2adGXZ7ZIYdHWSWdb",
        "mMx91uo1L",
        "Dispose__Instance__",
        "set_Children",
        "RMr`.",
        "eRQjdGjM1y",
        "oDLl7xGrSHpSa6UF2FRg",
        "AnJ0rDydOCJP1rhhr9k",
        "E5ahkkGfZZycqqoK5jrH",
        "nWRgPttirWcHP3TinS3",
        "set_Effect",
        "socket_1",
        "W63TtAGVfbDLMPEU4Ghn",
        "znfJpOGV5VV12X6WZASL",
        "ClientFileName",
        "get_CurrentDomain",
        "Xt2AHr",
        "RcPYtCFXbp",
        "HgN6s6kZSa2h8qWqO9G",
        "IServerBuild",
        ",b0guh",
        "Hu0J8FleRIH5Ydwv8qS",
        "Pa5XvktMAY2WmNqfbhs",
        "tjpvfeGLKwLkiQ665oJQ",
        "UOzei",
        "iyWCXvJ9JlYveXw0wXZ",
        "SMufHuGeLR03ABJa3v10",
        "nativeSizeOfCode",
        "Uunl3LGeGOg3bZsjhm6q",
        "s7oOV6AReM3dhJSiplp",
        "SKjfg",
        "rv]s1",
        "JVmL70ymEIxTkXJajb0",
        "MOKTtdGMy66CR3IrwNnr",
        "aJLEFoLZWAh2u2tmP2c",
        "JLPhUFGlHiVvVGOfI5IW",
        "get_TotalHours",
        "Pn8##",
        "edgNi3WUJQ",
        "afNQ5`",
        "tOdSv2ghjx",
        "FAFJ4pVsMsKaQhGmsXh",
        "LR29sZmyNyFvNUvTEFI",
        "CSIVogkY5meSWrH8s9",
        "fgatmDGKwwiFZtabXphp",
        "client_1",
        "hqqYcRm51b",
        "FjqoeeKjgibP9MJ87yO",
        "ERE\"d",
        "gypyAsoD3ZFl9mly8NN",
        "ToolStripDropDownMenu",
        "KfJJdsGP0d9h2EWUtnEq",
        "S0pa4vGhNZoZ6ObSqqTL",
        "erWootGyZfWqoV4015ne",
        "wT2jElwMUWflrh2CRLA",
        "GDelegate9",
        "LogColor",
        "qDUuNUh1AkA2uGlOHwh",
        "z7WR30MrDg94J7B2W9f",
        "t4PDVPGEA44x9DWGmuaZ",
        "CancelEventArgs",
        "_Lambda$__86",
        "jVC9x1lUg4IF8WsPH5b",
        "sd3Is",
        "<4}\"E",
        "+m%b&",
        "bX*\"U",
        "DownloadFile",
        "h~Kn6#",
        "mgv3XeGKQBMyY80CDq1L",
        "laEkiCmD7APcvhspPLU",
        "*b{%qe",
        "jYwpN8GZSmvYhRAig8Wx",
        "I<G%~",
        "int_13",
        "lUKY1mRcdS",
        "0nH~pfs",
        "Pb1XOyGmOLcgQuV52d7Y",
        "Aqd0N4GezrkI1XxtTjbe",
        "IH0izacV0Z",
        "<4#Q\"W",
        "%Bz<=",
        "Rh\"wvo",
        "BinaryWriter",
        "get_ServerFileName",
        "er1yy4GQDTqakUQvM3g",
        "MioJd8sfas",
        "set_BlockSize",
        "s4!a(",
        "zM5mwmqNyqoRyONveF",
        "vAUj53QIyRLaRhl4eJH",
        "TDNjDCi8uVxRSV34iD",
        "z3wb`",
        "      <!-- If your application is designed to work with Windows Vista, uncomment the following supportedOS node-->",
        "CJiYhUGC5LCdPXA1EZvc",
        "DAkwwoZ66l",
        "InvalidateNotifyIcons",
        "gDJS5V20wm",
        "H3J2kFGgSj8DW4MIMcJm",
        "OYB08g2qK6",
        "uSGDsiSPRZexU87fj26",
        "dFHtRCdr0RVZDyZdDRe",
        "7so p",
        "a8POdgFHttXYP1ncwGf",
        "eutfePO8ffFHR2jt0fW",
        "nbTdNNLRV6gLPp7nhur",
        "oRZch2GKfcJ7rD7q2PbP",
        "BfMruiGwMLaVqAwUV6Zt",
        "x3A4m97YwcpUx7Q4nuX",
        "VjIxTWA40b",
        "F9kvOrGlJOCEnlXYFycn",
        "label_12",
        "JdTTeqeqjHdro2aTgen",
        "Amdy0DtWrkEE2mF0wI8",
        "IUYkErP1CMvica5ZNEi",
        "T`W~ ",
        "BP0jbN8obU",
        "BHieukGMEZcWUtflS3AM",
        "0V4lmx%",
        "KieDcxuulV",
        "OL>oF",
        "F'aRS\\M*gi0{K",
        "fBgBCWpVUN",
        "remove_ItemChecked",
        "_Lambda$__11",
        "cAfEnx4SVU0x71bRZuh",
        ".ctor",
        "lAJmGEoh3MMwmvWCypw",
        "vNo}y3",
        "AwQdCJIohV",
        "f`ehQ",
        "vfPbdYSUWIjBmhYGH7t",
        "MRTVSoPPunRAbMjpuhi",
        "lBughCGmhKyQ4SblAepD",
        "Label15",
        "hEA6JHGwEuCtyCP3F0vA",
        "PQHMkMOEqMGZEs1gtfY",
        "hZdBKGWavfV3lrysdMV",
        "neJOj3D9ZQyn9lobG9m",
        "rlX1cI05ZW",
        "BQFj2bgprp",
        "RC#[@7[",
        "m5Un7hYuNE",
        "qWej0iKVG0",
        "Fd9QT6X6PT",
        "#0eyJ{",
        "dBKeNR4iGCAJMV8xn9n",
        ",M8r=(",
        "TV6duPvDux",
        "NotifyIcon1",
        "m>1'3",
        ".w>6\"PO",
        "wbQE5eGmehBt0ww7Jb9U",
        "uBarcBHiLK",
        "aEQkLiaRt23g2Wt7ngL",
        "ieJhcunCnt",
        "tnHUoUzsyrjNHrQVOuT",
        "gxjBloGE3o10xWUJH2gs",
        "OCveR3vGBqam5MjOA3L",
        "t(:QL",
        "VQy8.",
        "iVVnVspu6h",
        "XxCUoKjlqADfmIYKxgd",
        "add_CheckedChanged",
        "OyD8eJ15VinIpQJSngv",
        "c6?%F%",
        " ]\\Bw",
        "M_OEyR",
        "uxFCTJuA0hPBo5LnTNT",
        "s7PD8QGnMaQjHlKPBHlZ",
        "set_Priority",
        "yt8nhZ87nO7ACKcdcWB",
        "k38NwE7E7n1sB1ffM6P",
        "M4SSYPN9LH",
        "l5mllZtvZT",
        "Rg1Y5TOzYIJGkqJkOrJ",
        "fY9\\OI",
        "HccRKRLoMHNl6PAgJIj",
        "RNyvYvKtFw",
        "{B50\"s",
        "N4PJ6DLuBR",
        "set_CancelButton",
        "2LZ.H?",
        "eocSySN5Kb",
        "^9pxQ",
        "WsEi5ioi1UnAM58FBO3",
        "S0ns8qo7o4acmkPnxNJ",
        "qCZ532G9mMAMXJvtATX",
        "t}nx)",
        "lS{Vv",
        "AyIGuJdkldlf2SyfoB",
        "wb7mcdhLOgWPKXRY7XC",
        "wdY0erO5TN",
        "G4GnRoGEfALoi3hEiAlb",
        "b1(b/",
        "eO\"W)/3",
        "[^ibl@",
        "MtEryMVCXN",
        "zM5q4ixe0gp77RLBdVX",
        "EE>L9",
        "GetHashCode",
        "fltYBm3uX2",
        "Nh8XpKx4EvJJJlXv2FR",
        "EyJ1jSG8zytNd9EWKJ1k",
        "xYBbL8rSkH5uUBY5S63",
        "N@[CW[3",
        "TjuvhsbiYFvHkk8V8UU",
        "x._/9",
        "aMZMINGmWVkcdL2XkKrv",
        "WxawoF4Sgw",
        "LO0KGkElogJM2hsMKUB",
        "AuthenticationMode",
        "T-p8@",
        "tpBxtBVpyRfMcN4lexS",
        "FkjrFnGrZbPaySwsTHCM",
        "ExceptionText",
        " 'i:$",
        "QD@-/",
        "iqn5Qu9Esy",
        "TXW~5",
        "1\"+((r",
        "yynxmZfrhQ",
        "\"A$W/V|",
        "FileTransferPriority",
        "Y37rp",
        "Rr5N72GVvxcjrh6GHo",
        "iQiRas2m8y6dBi6VLAv",
        "H8HSq5Ge48NU5fP5fc2s",
        "'W;Wm",
        "q*}.44",
        ">'8#C9; ",
        "`0`V\"",
        "Y}9]oGa",
        "NWbq3HFNaLLwTnJjewW",
        "lLvJ8HiJseWgfvRW5jx",
        "iD8gdlnlBgMAtHZMTIG",
        "dnNHbMariMgQhjfgqlk",
        "UY36#eh",
        "M3/89",
        "CXJUqsGENZixWKQJjJNv",
        "ImageOffset",
        "yq3IoiGFsNs2MD9uiqi",
        "uhVkris7aGmZWVSGA6n",
        "set_RestoreDirectory",
        "u17k3NGySFjb4ATK7K3a",
        "qXkQ2nIP8X",
        "aqCP7asdJOHZNNNXCyU",
        "meiY4252Pc",
        "ow7iV739fO",
        "iNh2n32jkLfsg9upmSE",
        "            If you want to change the Windows User Account Control level replace the ",
        "set_UseShellExecute",
        "e(#?q",
        "get_X",
        "ALgNpBGlDsQyWoRCwuJq",
        "t>7BU",
        "PxtHJAGNNCHlC7A34oEK",
        "_Lambda$__47",
        "method_30",
        "CwQNTVGrdMr4engiIeF2",
        "r8R8qOGmbymk8PTAcl80",
        "BzF/V",
        "%mQ+#",
        "P7JjU23PkG",
        "k4tJGEMciyfar590qrV",
        "-v{3w",
        "Label22",
        "al91xCGgw8XIaCT9oCHS",
        "7%<!yv",
        "fsH3LEG4qZLiWgeqrc7d",
        "AK5uX63RMGdArVRuKum",
        "SjCCLBcMkv",
        "aotKjGBkaMSobOF8f1s",
        "'CV-,",
        "IGEPGHvZtwEKfZvQdg",
        "FreeCoTaskMem",
        "crUiyS9GWa",
        "MA1letHCjI",
        "xso97CebwgNO84CLBED",
        "HgpP72to6OImn2CZuyb",
        "d3J/F(W",
        "p2XB9iZP2UmD0Hm7Iil",
        "@,_!g",
        "aZEAMNOE9",
        "}6l[@i",
        "pNpOwTwSutq61TpYQf",
        "O&ibU",
        "Myhv4EAgU0",
        "X9Zyb22qKL",
        "qOR1eKiCSR",
        "method_41",
        "m<D+HR",
        "YaNr8xiU32OUL1yZvDN",
        "ETQpvvSdM1cVeKTIEXh",
        "Vyf93fGrBYtlVk5dSJ2O",
        "oPGTtHFkOWNtlNxrqcf",
        "s3yrb5KuGk5vXBG6WYa",
        "CDe31n3wFo7YXqggRAA",
        "}l\"Ff&r",
        ")c%I1",
        "Hssv8lLCVFjRoylGn8M",
        "tvwrvyfjRv",
        "OpenRead",
        "uyuMqPAZ7UKpbOsl44l",
        "C4eS9DsArGWtcgnblrj",
        "RG4SuHMHZDdfIUe6PU",
        "/>DGt",
        "uJa6el0kIydEGWmf0du",
        "y5dZZlGVQwmUjd9F3mwu",
        "NewsPost",
        "_Lambda$__65",
        "db7tNDp7olRXSP76ySC",
        "itYLMJBCKsTQmLHmpVQ",
        "=olL=",
        "nxU6y1aRZq",
        "Y9g9dnerdUcN03woWpY",
        "g16,MmSs",
        "LGU5qumvWAGJJ9i3qcF",
        "vjldhe64vB",
        "J1V21SgG5l6f1KQ6bEH",
        "G_h?E",
        "a5\\P ",
        "LLwJaLIHBQ",
        "O^$s;6",
        "m&=<$",
        "ScnBDlGxobbWtQ13qMpS",
        "g7Dl2HntPqgNoOA3SRf",
        "D7Bn/",
        "VgVYQR2Vtb",
        "SXrQ3WanYd",
        "eT26xrQBXHGyC4yjpb",
        "jAAU5jWmdDr2JDPmLFr",
        "cWcwd9a0LxuHkmYV8GI",
        "TT=(0",
        "Fd77xdzVIywMGrwu26W",
        "VYMyPxndN9hu9vEaMJE",
        "yQgmfTSGtI1c0Lj7F7d",
        "kuDiGG6Cog",
        "K2ks2FGbb6y4RTbJqSBx",
        "sM1NY19pNFlysiDrxWW",
        "\"/b4q",
        "$V|JO",
        "2>*_[x1",
        "CreateClientPipe",
        "u7bu0TGAVSYw83LqHSSY",
        "kUgpca5dcd7L6I2jW8N",
        "WTaCKQYWJmva1TD5NAZ",
        "o8Gcbe!",
        "eWaXHPGfC0WPSK4aTY02",
        "mLyosO7T9DH70peE5I1",
        "d9YaVtpuAM7F0A0ryZC",
        "yal\\hi",
        "K7PX0rylw5igPvSIo2Q",
        "mfoCuIrV4E",
        "d15DJS3u1cYuPQ1vnb",
        "i3PrgbYxoA",
        "$\"=M@e",
        "Mp8fBWGwiKxRO00JIfhZ",
        "ORxeVOyqeirjF7piRT8",
        ".7C~-",
        "Jh1&|",
        "j093V3gYt2bKb1oG5bx",
        "w8BqC2GM1m2BwbCf5Mjx",
        "intptr_1",
        "iW8QIxigsZCVKCFQlOR",
        "gbqagfps9PvR4ZHZ3GI",
        "FHfPgYGwsDKTBFTMBmIo",
        "TZLn1nG4Eaq2pO0qeTPs",
        "rSl5YMU5u794TpuKYtL",
        "veBoLjGlZinp8EOK9kEo",
        "set_ShowLines",
        "Dl9kyAPQxxYZweD6O4I",
        "PgRQQodBNj8nojs1unq",
        "YG0btrcr0s8eqbyhgJB",
        "CompositingQuality",
        "gYRapwGCUNmnhdXGaA07",
        "uVYv6bGgAchtaXnajqMx",
        "aCFiObFw1C5pgLFADnv",
        "pQTqQGHqmR",
        "K2vnYY8XOk",
        "@%Qp[6v",
        "jK5%R",
        "eA1RbyGlBo9RwWwfaJTH",
        "?BRe<",
        "QPhCUO",
        "z1PnhxGwPvnhFGiqFmBR",
        "wEItE",
        "LWiTYIoFbp",
        "eQD2OE1dDH1GZ",
        "XtRST77STB",
        "g7QnbEGMBnly4Upakv0",
        "n!#B\\@M%",
        "$|\\Kj",
        "GetWebRequest",
        "JWWohk46AjPLltsQygV",
        "_D(s$",
        "int_5",
        "tga9yFc4F5xnymRZcNW",
        "quTtXiRNJZs9WaO4ix1",
        "iDiMcWqeC7hDCcLCQJV",
        "CFMG$w",
        "RIFBqxmHJa",
        "eSYmXkJyu4l43wVuyMJ",
        "YX0tuE7P2leleAw2eJ7",
        "+E<J+u",
        "TLthGjGG5uxdyueyYYIK",
        "GMvBUUGgblGM2b0DbvyV",
        "JPe1wKGeD75M1YsiW2PQ",
        "n0c5ZeYeMFxA6v68wCS",
        "Sl0J0U0xCo",
        "@.reloc",
        "<!C\"b",
        "&_k*BAD",
        "A@m'V",
        "      <!-- If your application is designed to work with Windows 7, uncomment the following supportedOS node-->",
        "YKhI05ah7amjIWFMsDe",
        "ibYwAEGeX3LwRmrDKrKt",
        "alF57uHuxLJfNOtFnbU",
        ";b9l\\",
        "qDnRsuiBPe9RPR46LwG",
        "FocusClient",
        "nMobSkGL718egQKjEBJy",
        "z QK7",
        "syR/&FW",
        "^6~y]",
        "AP0u12uDoZ3SPaMaYr1",
        "PVhJYvBEm9kC25j0Alp",
        "vrtn1PJvuA6E7e7gDe7",
        "UpgradeLabel",
        "lmWDsIMbrr",
        "(GNp=",
        "HBCAZ1lLmo",
        "Directory",
        "f1q5KlGLp0aquEpIO2rK",
        "*Xu<*I$",
        "oZsxVbrqvaIuwI3OhiA",
        "R9NytTIKKx",
        "KFoSqrGrAeAb0pLA6ZT5",
        "aFPVb3w583WuUjvfE5F",
        "ImageList5",
        "IComparer`1",
        "Zv<ql",
        "\"lTrn",
        "PGRsfmfIWqyKe1i5AXU",
        "GControl3",
        "sW\"md",
        "QGfK3L39rcJ1gOT0O1a",
        "qGBehTHSfc",
        "w7;s)",
        "adHqZFjbaCxp1GuUT53",
        "Xwq0I7DvfZ",
        "TuaBe770RYx6KNCY2Pg",
        "HideModuleNameAttribute",
        ",dZ5}T*t",
        "w20HESGxcFOsJ8AOKlBA",
        "Q8,hJ",
        "+VVmx",
        "vpt6hIUt7VFMI3bpfPb",
        ",$*7<Hp",
        "iiHxrKzQ33eACKvySuu",
        "p-ql!P",
        "LjLhIZYC22lrHMyVygO",
        "TUAcsgGrMTBd1sWnT8cQ",
        "9__[|",
        "i003ay1rrJBnktHkPV",
        "sI32ImN5DVDTyYFsovY",
        "%rVh+",
        "PwK0alGntj1vN9KVu8eq",
        "Khi4bcjKvWdyoQhAEmS",
        "get_FileName",
        "DgtsUg9rnQjAEbT0ITH",
        "m>Fv)",
        "`RF8a",
        "_Lambda$__78",
        "SQ65yrGCpi48xC2tbMTi",
        "rX|v5@",
        "()\\SP",
        "w5yhP0Erlm",
        "vNA9x5jod0OBIYm31P8",
        "qM52J0cekx0F8Cpq08J",
        "{+fEG11O!",
        "IUyFxLKQpnCjcoRYG9P",
        "Ecb1RJGMzVr9yQ1jIKpU",
        "Do+/b",
        "QxJH5qGAJ2y1oTiqAVdV",
        ".83tv",
        "Uw15uxnH5JsoA6k61FQ",
        "CiI't]\"{",
        "BxCoPkQ899q4bi0Rq7",
        "Iu0C7cgT8iStlsiXwCp",
        "cOuGcMG4rgttxQvBEAux",
        ".i>Y@,/Rj",
        "gvHBIjRR9BUkM7RmuKl",
        "ToUInt32",
        "BitConverter",
        "GClass21",
        "S5qBnZGEIfDk1Vtt4Dny",
        "dOOaRsGPP3kFYgmuTbHh",
        "fCiH4CZc6g7fe281vdJ",
        "VVJ\"E)]TF|",
        "gclass27_2",
        "%L*';",
        "VVM73ZGlIOuTRP3NKIfY",
        "GetTypeFromHandle",
        "EPf0n",
        "UvJeKpMd5trtV82sq76",
        "WB3AAgvR6kGEK3kDUAL",
        "tHfPpMQ6BpqEUq04gCJ",
        "kfWrGFkMe0Frku7cAXH",
        "l1s3XFaaivuFH1Jb2mf",
        "columnHeader_1",
        "lDycCEGwqrk7M5Nlja0l",
        "mw/#Z",
        "get_Current",
        "l6Lj8dj0ZL",
        "HTviPfGfaoksrJ1FNYL0",
        "].EfZ<",
        "uhsrZdGw45xFbmXJyjyj",
        "set_BackgroundImageLayout",
        "cNyav6GbUBvETerMHsDI",
        "QE7FMmgCf7KYLwECci6",
        "aQ6@bF",
        "prd13mptIa8HDVYoZU0",
        "jr[uV",
        "XhY5CrkCRC",
        "aYM1kEe1Eg",
        "JD}B!",
        "IBU6iTGfrf8kL9SZnvek",
        "CLK,&",
        "aDWDwQGmVZ2OKi3SKmp8",
        "bf.K2",
        "ee5x2VLKji",
        "OPxQ6QM1fk",
        "KB0pDLG4A6xItviCmKh",
        "T$8Z|r@0",
        "RadioButton2",
        "cNxe4Sbca1X9XiIu3ZY",
        " pv-ZCy",
        "set_Tag",
        "aeKjQW9BTctsFF0St2h",
        "E5bNE0W8B5",
        "w4OGB6IWPDIsERDNleT",
        "Wh4UDtS",
        "F5knZGqyBA",
        "t`9/@",
        "}$R;Y",
        "WHXPRk8gvWdNG5hJuag",
        "G6Bz_",
        "OECV8q5uiUsKqe8dCRf",
        "XWdq48ERBt",
        "al39jkki4jRobIg5tUJ",
        "o3hBzpQOWm",
        "i9lAOQaHj5",
        "Kv70CHlCGw",
        "jEiPeJpyMdxp2OTU3Za",
        "get_VerticalScrollBarWidth",
        "N3yJsmuwpE",
        "qXknFKnDmE",
        ";JbO/",
        "lfd6P4bIGWLlKFSrEH4",
        "gdelegate22_1",
        "J~%F,M",
        "g/i_OC",
        "aSfV3Ia2sYj1ivXF177",
        "XBHD58RGd4rB1GtxnhG",
        "qvqTlPynlMc6jqF1RFb",
        "Status",
        "w@Pd\\",
        "mFY<NKF",
        "gLDL2IG4sC70Ti4FcmT6",
        "jZ3Rr4GIZ24g86NLllMB",
        "Kg1jO4Ny56",
        "AEDwwHkpSAjcac7WaLM",
        "ETCfsFPqvt7G7H865QQ",
        "I_KSUmN",
        "ulteCQyBhjbRctedNWE",
        "TejueTG4ixUNPu6xILxl",
        "GDelegate5",
        "n!fR6",
        "whyAWOgEgg9MlJE7WV",
        "POqUktGx4OIMN0rUtUVI",
        "g16CZifVrIjA68ZfK77",
        "~c=rN",
        "C1fnexJVAh",
        "ScrollToCaret",
        "vgheR416N4",
        "nva64",
        "%vwtB",
        "FTgwClvSbT85cvCVyeq",
        "zMhI24zaDKW2wC2wqBt",
        "v\"BfA",
        "AZDlClsac6",
        "As(J\"=Mp",
        "KAqPY4GgjYOJRkgMFT1t",
        "JD2WkvSc0kGkSxQKy7",
        "_Lambda$__72",
        "_Lambda$__81",
        "splitContainer_3",
        "AfrldRJ13ftpwLycuWi",
        "DragDropEffects",
        ",b@k&",
        "FUpnIvRdHj",
        "get_Children",
        "R~079",
        "TOixk5hCQ6",
        "g8rDEYGgKwq1qhODWuuR",
        "ir2SFCue2uWysrqjMCP",
        "KiZZgHz3125l7qAGTXu",
        "QTJBFJR5QU",
        "WDQsc6qK7ELFfbkcbho",
        "O3wTX7GPcJee19fl66uV",
        "Fl%.K",
        "j77RTxX09G",
        "I-%\"2}5",
        "7>@s9",
        "eMgb0mGPwt4vLqBrtxZ8",
        "Ibefu8Byx11gufitS7g",
        "LvfrqxyO9SDXl5hUApG",
        "3$T x%",
        "kmzsd",
        "tGljbjGZukGrhSCAP2K",
        "KINZ4oTBhjvdwZVriDN",
        "FuenlBGAWVgghUGHCnut",
        "zolcdopBasKu17dWUN8",
        "Gk824TanldEAtoPHc6c",
        "62Ec!",
        "UpdateResource",
        "YOHMOXDzs47Td4WE8Yh",
        "aEmAKbIcVi",
        "wTWmtAj9f0JIsInHkNa",
        "DBYUQdaKEYDwbMaYpHG",
        "5>WKk",
        "Es,Fw",
        "zN}n<G",
        "MGtrX2X3bVekZAxS2wv",
        "K'b/p",
        "rJmDxim7qxEaZlrnYkJ",
        "eqDbgSWEDB",
        "fr7RlBRB2XEtba8RlY8",
        "ov3RoZm0ab",
        "Re5E1YtzH1CIuWrNYGR",
        "XS) Me",
        "EgLu85Hhy28vmryPdpL",
        "CompositingMode",
        "e08KGR0NhvnTPgrDwoL",
        "e44as_//5S",
        "GControl5",
        "wqKXSXogORxpauQIb52",
        "oSFhAPU7kK",
        "Substring",
        "Ft7XwkbkM947Kw5ksRy",
        "WgKPtZJb06dNFwrTL7u",
        "QeOXbG4IfkcPHj5oBMa",
        "CBKH5avQMpsOgSNfFBt",
        "5TX|d|",
        "PruBKFBTMCXe2tE7ila",
        "pRstS7ZoTJChkc0oL8x",
        "h-R{@y",
        "].L(q",
        "fF0PHLsaXO",
        ".?SWu",
        "tU0QcbGgooeslsP4G9io",
        "#.;A.:tW",
        "Gj8Y7MGEmcPS9Dbh97wZ",
        "VRlL7bGmxqvBlpxCKw4",
        "hx8Z2CGRCMbHLeSKjP24",
        "ePiCMKGNPCgbgPMOBjFk",
        "JNAm#",
        "0 W~qu",
        "qVEOb9yAFK",
        "n+} B",
        "set_RowCount",
        "lMlZuVAXy16F90hsi2Z",
        "\\i*-4",
        "Label20",
        "?'D&?S{",
        "Round",
        "aqhpkvMAfrQdGXwJCFs",
        "mvhS^",
        "ResolveEventArgs",
        "8~9rE",
        "Eg_$z",
        "lASa4VLNqMfpuTawwUL",
        "BtZMiCTYea2qgjXbg3F",
        "Delegate",
        "kiGGufPCQG5E3moZyxj",
        "set_BorderStyle",
        "set_Parent",
        "CP7yw3LHil",
        "uNMyIT8roH",
        "yd eQ",
        "iV)E]U",
        "hFEZxCR057jNm1wm8mp",
        "TextBox2",
        "defaultValue",
        "CnmRQrdY7vEq8lsZDi6",
        "gAfuBBGkRmaeJPwUlUOU",
        "ayLeFJGASTewv0XRXh9S",
        "BsCs0KB9scHwRnXUA8g",
        "NanoCore.ClientPlugin",
        "Llp9OqGV9S09Fx8pEtXd",
        "TW'!|",
        "WQH42eulj1cEPNKGxQp",
        "ajZBKIl376RpQoFcRBo",
        "get_SocketError",
        "hrp&u",
        ")p]hEC",
        "~;Q1{",
        "BWSuvBxEqmutwi636l6",
        "WTPSVb5ZFJ",
        "x\"?]NEh^uDdh",
        "UlfKCXFG1I7QNWhbNWg",
        "get_Gold",
        "DrawLine",
        "IVQroO0Y42",
        "_Lambda$__23",
        "c4fjr1NLEg",
        "PollControl1",
        "WrapNonExceptionThrows",
        "xsRPvB1QJPG9WEQw4RR",
        "qwb#|J",
        "get_TabCount",
        "{Sz!%|",
        "get_SubItems",
        "p3eDjoXqKexogfOTDdR",
        "RpxPcgovrF",
        "iPn5bW9u5qrLMuP5frF",
        "XmlAttribute",
        "B60noguhSO",
        "XsQn9Y8Fuy",
        "UA3JBZmGLkcdY75XIgX",
        "Label18",
        "|@\\E%?",
        "x7}4eg",
        "SocketAsyncOperation",
        "}t=\\O}",
        "MNu4X3Gb6MAlbBxYxsbZ",
        "~o>d-R",
        "YxURjff5ww",
        "i6Ib86qMXcIYm5CITCp",
        "gstruct5_0",
        "okLOARtANa",
        "#ZKuE",
        "Version",
        "eTQW5pGCbaIMCDXnM7BZ",
        "hhgZHDGnrLGA1sZKMBSe",
        "Enw4XOGYrAPVVfJ2lLTa",
        "IArp\\",
        "#D%Wj",
        "oSkg4BuJ9Ff2Uqu9KqZ",
        "HRfi6s6GqUoZvppCK7D",
        "jN.#T",
        "TDiDT5VNqH",
        "[d+O\"",
        "E\\x@k",
        "get_Parent",
        "ZhQF\\",
        "Qsp3pCw8EOW2JeprPGp",
        "#C7t@",
        "wCb0AFfK1t",
        "C7vPwqG469TE3wAWBybO",
        "XoT0S4yHu8OIRAcj5ei",
        "cwLRJeGwgijp4Obpb8U9",
        "I289DodfCqofcw0QDoZ",
        "tZYntYcRvyOfVYUv9rR",
        "Ttjwx9d2vT",
        "State",
        "qfLWP53Y3c6plC2IPcD",
        "J^]a8v",
        "zhcS7xpmRA",
        "islYCnrIf0",
        "gs6S88GfRJbfZ2ohwCx5",
        "R1|D\"!",
        "ReadSByte",
        "V0von1ycBLcMHW43eIY",
        "clientFileName",
        "T)l+8",
        "MFLHkAMvOoZIkhL5ojq",
        "iTcAM0jr6W56RQa00bA",
        "zrLKy",
        "jPAWb6GZyiWXEl4Phmcg",
        "kuiokxg8xx",
        "d,:ePA",
        "GpFet7V1OryMJklipSl",
        "l1baO2fWFfSISCAIi0d",
        "WtaZtPZiXEfG4pMNEF9",
        "EYHy5HGZ6neNnJauHWPg",
        "DJESBkGf54rjeYOyWBW8",
        "set_Orientation",
        "CKkGhsIffeXDgtXFZEq",
        "dFuNdDGfUayQBeKj1B3R",
        "diCEZqGYwDDv3pU5x3a1",
        "DebuggerHiddenAttribute",
        "WSCjP6yK2A",
        "yybK67GX35GaPRHciZKM",
        "Fr_KA",
        "&~x8g",
        "GlU!{",
        "KYksOqXHwQhji49C5kk",
        "+m>+|",
        "[ZY?!",
        "YxiQoYGwzoMilwPd7twJ",
        "R@]+H",
        "k2gl6yMFNlIhxUG3tI",
        "`?iU/",
        "xh4TBsPKOE37k4P06Si",
        "PuRvN+X",
        "e5goNEBy3w",
        ":3bo/j",
        "i;[fo",
        "ProcessModule",
        "Vd34ONOAnTYTjyTtYnX",
        "t?J)j",
        "gChopWIgVM",
        "nTu6VycGCc",
        "SSwHh6QoYlDBZoqmtLs",
        "A2e6jVl4jt",
        "{T5qH",
        "FKLgDIGnJ4rWQd5dlDQ8",
        "r5mD7HGRl27kS5jd4Ql7",
        "dipYHGi6s7",
        "GroupId",
        "My.MyProject.Forms",
        "LosOjBGl26vDlWe6VNoV",
        "get_OldDisplayIndex",
        "set_ForeColor",
        "Di0L7RE5wepHWywBL2t",
        "jECG0XGEYxjt0HviIN7W",
        "zC4bJLFtYs",
        "q7VBXX8Jmg7ouvHDGv3",
        "hWH1Gj9Z30xFjdtSHlm",
        "IpIb6P9R7AO0bAl5Qk",
        "SRnQDnLVchijFEvtvxv",
        "Vq3r9PGCWggp1jg8H0dd",
        "WQuTw8iFlc7WMRGB1Pt",
        "cmMyjgGA3n7McffIY6xw",
        "fbPQB",
        "WPAHc0kLehTcWdYIGCc",
        "V:.T|L+",
        "cUfy4Ubqtsml9aIrPKS",
        "ym8iGfGZqTQkpSMJmp9u",
        "HJ7NaaAbEt",
        "zPTxpjSZuD",
        "contextEntry",
        "Np%G4s",
        "z3~ty",
        "LXM68VXD5Ul2LgGFmo1",
        "#jX~%",
        "oijt5NXEcUUU2iNMHey",
        "V4IeV4jw56nqXZsYe9l",
        "TqcPE9vCiUxHqgMTg8J",
        "AAggLVGZhGjK02aSGsDn",
        "E88THCdwnW",
        "XyvAXIQ0upoBX1y6YI8",
        "NuJFUTGCdsThqtSXvlOt",
        "L@ei_@",
        "VZf8eMJzBvns7a08Vv6",
        "get_TickCount",
        "u7h2Ey5ZwVJfxovERvk",
        "fBAAeBOyaopFx0PhYTA",
        "IClientNetworkHost",
        "remove_ColumnWidthChanging",
        "ServerSettingsPage",
        "BeginInit",
        "wXhoY6GV7kp9CPDX7N2w",
        "h24ItJcWD0As7gFajr6",
        "BYdG\\",
        "oYRj9Mteo4",
        "ECnjtQGZVnTf562QrlAm",
        "Av8gLNL810o58U35loc",
        "TabPage5",
        "K6RGHcKs8WZFNlyE0LW",
        "xTs6L9useqMLK4PxFsv",
        "WL\\sk",
        "zt6wB3",
        "O05QMeHF1A",
        "AssemblyConfigurationAttribute",
        "CjuBKOl9Eb2313DbarT",
        "QbDtkcGExTfUfKbGvNmX",
        "RU66nrGf0PZLGYG0JDv9",
        "l4VeyUGbJT6hgZOI9fUj",
        "fJ+50",
        "ewYA5LwtaU",
        "QegMOrGy07ELbBIfYlf8",
        "LhCkPv1URsLelVUFIIu",
        "v9bab83SPtWtCCKKZIx",
        "pX&Zx",
        "uyMdfsPaWh",
        "F:ta5",
        "nb]f:K",
        "gLY8yThFb8Keh18qKlf",
        "<}Vw!",
        "2H)5o0",
        "vR)UZqi",
        "W9b93wGxq39TnXpH8bHO",
        "/[{bQ&",
        "W0yX=",
        "PictureBox",
        "h93gIPFtl1yvu5GVtRB",
        "eqIOm5ZLZk",
        "pMrvS_",
        "fHCR9RwT5aoLhiKlZNt",
        "\\mlGE",
        "mn.>!\\",
        "9CB]X",
        " 87bI",
        "rsMqwmqBdWqH5vwvPLk",
        "q8KV7QG8Kg0LuxwXAO3h",
        "+IUT^",
        "xkm\"j",
        "qaxYgecKn3QL557iYIb",
        "pHjPGj750fhK3DlTbs8",
        "RntQeEemAy",
        "db8QZGYuqB",
        "agfDvtGR17Kngv4fPCeE",
        "up6sRZkDWnTmx6YGDnU",
        "add_Selected",
        "Gy7nf7dslK9VHfbSVhY",
        "yScGmm568hQrmALbCFN",
        "OwwjY",
        "WtWSjN0apYeTofwKIIs",
        "Tpn1MpgTiE",
        "xoOcmJGna2BQ6uJaW8bf",
        "IC3ujrGMAxIIB7JHwBci",
        "NfZUBxGyu2jYDEotaNUy",
        "Io6DMxGrI76GRYMIfR6Q",
        "KAxbQ4rmuk",
        "set_Interval",
        "W^)L ",
        "qlUgJaaQPI0D2mxXFjK",
        "vEKAiFPOMO",
        "V>TR,",
        "s34Y6dwHnOIxg7N3bMn",
        "l1jHiDlv23SauypAuqf",
        "gPf1bcxwIk",
        "iY)UC",
        "set_WindowStyle",
        "set_ReadOnly",
        "?MrcK",
        "FSMcdVLuVW3r0NIPva9",
        "`HN]0",
        "RecEn3O3ZLDecXor8l8",
        "a>#Vd",
        "X1L1qAJNSKDAPCI0EO",
        "yN47upMzF1Vxw7WfZJ9",
        "set_CurrentUICulture",
        "TUx6zq3Gkf",
        "wJFYuZ748Z",
        "'Y7_Q",
        "zlUqnX#o",
        "#QNcq",
        "XZ2YMwKJI2",
        "EgcLbWe6xiqpHySYuZN",
        "fDun0pwStl",
        "XYj2ytGkGsFIrrZCVCAf",
        "Increment",
        "yF4WNyGrvML42HdmcwUa",
        "set_AutoPopDelay",
        "vboHFnVPJF2GbPHGTiD",
        "gcontrol5_1",
        "QueueUserWorkItem",
        "g\\J4|",
        "RBqwD83gIv",
        "B0y4GkGyaGZIkM3AMMNx",
        "YiUwQkGqKLZTZeOtobL",
        "kA75eOWyqJ",
        "FromHandle",
        "Ju9QmggZhnCW7ErCLeI",
        "AqIxcQ4kJUnnTaM8NBB",
        "kAElLLEjYV503LA7qY9",
        "zawGkSGe6jVrQncKiUaW",
        "MDS2Z",
        "Gc2G4RGxdQbb00UWA0HP",
        "s6khaMp3XdANSQW7Nq6",
        "VY90olZhERZMLHaWOpO",
        "7mP@w",
        "s6qr99S61cEjXj6Eodh",
        "*1c#b",
        "EoUgaL7xkO7Zhot7Ldp",
        "doSlOr6OjN",
        "4<$8s",
        "  <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>",
        "VqgwXmTnO",
        "gPo5jPAdlmUfuUXKx77",
        "Vh8b2suxVSUPBxvPplx",
        "XDmdV8119CXVtqnsa4h",
        "o>{/v",
        "rcDUf4LSyZBYA4y2gIT",
        "ot3sEI",
        "V+7?wm2G",
        "set_ClickedCallback",
        "X3eTJmGZcDx9fXueoGKq",
        "CLSCompliantAttribute",
        "aBKGo3GVWnDPo49Lsrvr",
        "C4C68O2sR3",
        "Yr3wRXE2WPqgFfaLRSI",
        "kdyeMiHs9G",
        "WvoK13GMnES8rliylddx",
        "({$f[",
        "Bm?dTu",
        "T\\f^W",
        "eDpcrRHod9rovLjB1KA",
        "YaZliv4ekwRa0V7q81U",
        ">C3sE",
        "WT5qq4XLxXcahLLa7f8",
        "CornerStyle",
        "t.;dd",
        "cdGDVPcgqK",
        "k9#R%",
        "uN29XrGx8Hrtywr7yauf",
        "get_Initializing",
        "Ertfn2P3qLOGEG5HRLG",
        "cOsqyph7oeJ1K2sRjNC",
        "dHwNMyiHLA",
        "metvVANEvU",
        "MrS9hoJHYJZlcAht9u",
        "fiV^(f",
        "r0kgv",
        "Il7WnWixSD5dUOpN89",
        "ys7y7l7cOl2npjdJOa9",
        "gfkRCGGN7scWJlPpTZLI",
        "CloseClientPipe",
        "FontStyle",
        "QBNJ3Ig6v1",
        "yJEL5Qu3qSgieQsTcsH",
        "v5cWp1H44Nv2OUU6onv",
        "kGiMxlGVpyLC1rCOOZwV",
        "}OvJ=",
        "DGkB78FF1d",
        "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\" />",
        "Encoding",
        "gxdjignwfE",
        "kiJXsrG4z87UqZt3SjFF",
        "Iqbr5mdnKHsTGoa4qwM",
        "StringFileInfo",
        "dYN4JnGOh7ANoqkPxUy",
        "Bp5wPZsU9opnAnMoaCp",
        "GmKCcJjSc0HrbkdIJGy",
        "set_CancelReason",
        "%V*Gg",
        "gdelegate24_1",
        "l@Vx.",
        "VhJlI7c15q",
        "pS?Z`",
        "iZGY3Q9ioQ",
        "lY0nill6S4",
        "xffyPKCekiUQoH5fmF",
        "aeCluXUex6",
        "sDp:>",
        "FuSYVqwJELQOXjPQDc7",
        "hDKjcqICUkIPl95d5oR",
        "uaLkaAePQct3sHl7Qrf",
        "CMU=o",
        "xWlpr1GCNAiRA5KKkPv5",
        ">LY,I",
        "aLr04NbbaF",
        "get_Location",
        "Dk]Yy",
        "VxpJkkT7l0vdGGNnebZ",
        "ap36IK0P7iVHWbKvwT0",
        "CmdtCmGn3oS3PDVXwvc3",
        "cUHFX",
        "control_1",
        "RJfxLFGbhM95d1X5xa0q",
        "a1D9RwGKjKHCiRY3ac5A",
        "NotificationServerSettingsControl",
        "uqjqPMZyMe",
        ";R7-B",
        "SPFLdoBUPgiFSbLHihN",
        "hbxoS5hAh3skE51rDPf",
        "q1tU2]",
        "columnEntry",
        "mnUAu2UwYr",
        "zWK1j",
        "+8B]Vm",
        "nCeAWNGImr5LiAJIvV26",
        "EmBVs",
        "N6PBD4T0bCRYBreq4gv",
        "wNcE' ",
        "aZGolI8yR78D49tcPV7",
        "KRp67oo5JI8qBcytlGR",
        "TIfTh9BItjlCLOUsZty",
        "set_ExceptionText",
        "Zm:DfTO",
        "color_4",
        "FMduaCOqKysOXnfc12N",
        "diX1FhUY1PexYv3ivnO",
        "tOZN0igxjG",
        "_Lambda$__44",
        "EyJNxXOhEgiYEymYRKm",
        "l28PLBKonm29wCO0SQa",
        "muCn8gFvxuJWOJVZiHO",
        "GStruct3",
        "VwdwBS75rI",
        "HeaderLength",
        "e1p0APddwA5P2ifeV4Y",
        "pEfCJeGhqa6m7g0qR9CU",
        "ub6R7PBbxJC4t3fw0G0",
        "_Lambda$__39",
        "n5WkSsyLkTbFQrB5H88",
        "aVgxigcSa5",
        "p<,]NKv",
        "ResolveType",
        "HEMK8PGMMtqijIYgBrqQ",
        "Ugb4pH4KVyKyLfJO8rg",
        "dGGbLR8osHoDItH7vCf",
        "cGK0uGelkN",
        "z8WrQn1xVQ",
        "JBsCtp323mcneRKPJTY",
        "qViT0jGOIn",
        "SdMhF0GyBZ5aotjrDFEg",
        "A\\py2",
        "Olk5h6gta5pxUTsMC3D",
        "SepawBT5IEKJ4d0yq6T",
        "?\\pDV",
        "PauseFileTransfer",
        "TNjLwR",
        "QUOXysGG8NDXDQqY3DjD",
        ")5 TLn",
        "eoI1YjRD9v",
        "EhiwiuiAHv",
        "Label10",
        "llGgrFGmgtqCTEhiGxIp",
        "xI0byEzHD92VYD7nqZi",
        "OcH1d:",
        "KG;{ ",
        "w&)$i",
        "SplitterPanel",
        "wp4yPFx7aaZI6H2hJTb",
        "ivenkQGn5t",
        "e3eT6EBOME",
        "w*IA+H",
        "ServerSettingChanged",
        "QCeVb9dkOkAbPiRDJ9q",
        "OBdrYiw3yMTwjsAq2Vw",
        "H>t^T",
        "v|4,t",
        "=-[SqN",
        "mgHr3fk7LJRaU9obGwL",
        "eljbNY73Vi",
        "I6DbOy7Qb4",
        "G2P1U4Pghj",
        "hprPOPG8MPgRu0glBCvU",
        "$Qdp6",
        "VMhX5L1P5",
        "GScTgtKt41eKUSNOsVd",
        "t1j2KQNo4Uyba1a4ss9",
        "Invalidate",
        "Ljkr+7.",
        "S8bHNgmOfro4G5MD98Q",
        "guid_1",
        "xc4fwjI7363Cjy92dQL",
        "]0n6,",
        "YkuScmIebq",
        "VYTJp?",
        "nocqB8Lk8O",
        "KlLBeYcPWV23PClDXyx",
        "pRFMZsmaMBrJa1ukM6",
        "aVEbZQpNWL",
        "x@FU3%4rW",
        "xBCiE3HXbamsAOxHqu",
        "Id5U=#Z",
        "yG4MRsg9HVsDcYPry6O",
        "g44eYPQwPWwKL0uqeiO",
        "kZm!?F0",
        "x1LL5KcEAFwGVmH9k7",
        "+-{2sy",
        "uQXdcoaqQM79eq2j9ny",
        "mscoree.dll",
        "jlMJdZGrcJEjAuQ54Uhh",
        "RNpkE7i2kX8OpKMxZFb",
        "Yd1i7QG79j8DbVVAnIX",
        "ContextMenuStrip1",
        "GClass12",
        "CvlDnXGwUL0ooCM5YJji",
        "P){ar",
        "dCGixDGgNFvZcaws1cel",
        "LoadingScreenControl",
        "aPFMgDGIzi7fL7gp5NM6",
        "HQO0tb0OG44WTcNp3YL",
        "yQBdXGgLt8",
        "XooAVY1ZRp",
        "9Hrr:",
        "ewDktdMupXdkLJOLfq8",
        "3{PNd",
        "0yx$qQ|",
        "O1>1'",
        "J:hK$1",
        "{6.xT",
        "numericUpDown_9",
        "tlA9rF6AXwjW1gRsYgE",
        "z1u1symfIj",
        "rk3hk8UT6IHXArgQZs2",
        "ButtonBase",
        "pnfcp8EM1VLeeoCjN44",
        "gfN2]g",
        "get_Header",
        "KydiPLGIyJcW3xqZ6hqi",
        "HgsiPsqcPD7Ftq8MeJN",
        "gB%)m",
        "I+*!v",
        "qp1LbeiIEKrXCZAFkw",
        "KUR5avZmIDbO0cryAoR",
        "mYArhMu2w1",
        "j#?\\?",
        "84~+9",
        "System.Reflection.RuntimeModule",
        "DOGxn8GKEhJ7QfoYALLw",
        "aOTQANvttF",
        "&3fE|",
        "_Lambda$__40",
        "a1Er3Ad6gx",
        "UjaS7AKULbnYqsmJhqL",
        "yUiy]",
        "VOe9G4GfQDWwsMttSmrR",
        "pcB5FXRyhgLd80pf96",
        "Dvanw5ZT7pPN4Xmbq8V",
        "jreTfTdAh",
        "ScrollableControl",
        "aNCbNxdKGf6oPDJWxD0",
        "C34ekTGZri0Y0YahXtA2",
        "H4xHwyL6SmL6GeYDBTt",
        "h4xUqrm6Vo3vj7446F3",
        "pxUAwMWbjjlB4erweGd",
        "}\\I33.",
        "l1jLO7kJVDjKgMEYMtr",
        "Cagju6AtJ9",
        "kK@+T;",
        "si5L0tRVFqHxVLDSMUo",
        "CheckBox8",
        "TPX2wEVfNeATLpNlWwU",
        "xUgCkcG4hIXyksnZxIxf",
        "XRFLL`",
        "IYVJiL2QONparrEcvfD",
        "~+cO-",
        "Q4foE9eBgrAgYmF9uFX",
        "cqFSvlGeh6AmJU1hikij",
        "\"ots8",
        "YOh6IU8u3D",
        "KtejfYG8dX6XstaJcBPS",
        "LA4LiIn8UDsR05JUoUX",
        "yaiqhpShVA",
        "TJ6utFLsDkBN00WL8T0",
        "QXfJheVWeiwVId9LPT",
        "cYvjt8GXER7onkaEAkHh",
        "m5G89n66Tdt9kYOMPQA",
        "ApplicationIcon",
        "E35jvyGfS8QUoyOVmGl",
        "button_4",
        "h1dhowr0up",
        "itUJgNDNhBLijRwCpiL",
        "Q84b9BIKKTEjPbuHouH",
        "dZ60qgGrpa9FurXu4Hyp",
        "j832dutTA4A8fYTSqaD",
        "t7\",~",
        "TH914eGCEhqwis1fYbSw",
        "I4wFfQhaN9WRqqNbT8F",
        ".8H`H",
        "hpbJ2we2fvmBrT4LnMx",
        "pwgHyYGhxArtTsW6pWHX",
        "Cl6RynyA0RnccmKBWEn",
        "hO3fr<",
        "gcontrol0_1",
        "remove_ItemCheck",
        "c8Gv7NkP7T",
        "G53gaV2AHefDKSh97yD",
        "WPXE3E5pkLykq7AMmme",
        "JqNAEcGE6Aqd9ZATUSFj",
        "69UQp",
        "HandleBulletinData",
        "jkpNFhGuvK",
        "gE561wGbGY3DfnAwXWdC",
        "GZK7I8OfkyvaBhAvENu",
        "A&'da",
        "E~Ur\"",
        "WhssFKXTSspGy2kjs1",
        ";vAd(",
        "EoyNsDGLw2BDENvpA1EU",
        "\\ydu$",
        "PrepareDelegate",
        "nq0ydkGRemRCMg3Iwnrm",
        "kCd2OEdgg4EQt",
        "NVjd2xWgQT",
        "\\W7 &x1",
        "KVsd8I1nc1",
        "wiIHmvpfCCK7dnt3fke",
        "X8ADq8nOWX",
        "cKUZhaHcfbN1SXBDlVD",
        "w)je7",
        "cdI0XWsMlxYSmlRkgGJ",
        "UnABOskCce",
        "vuLZaCVwEnJM4slcdVf",
        "FDEbQOOdZWm6D8jwLen",
        "zi1qL4CDsx",
        "nkU8kUkIEZHGaQXbJxp",
        "FW0qJLs9Vr1wZuFoew",
        "yZ1LHmGPEs69HSbPpIiS",
        "BUdE6HJZO7Xyn5QgWEj",
        "Go3UD8GAZImm3IQ6S6E7",
        "VeQQaxGxLcNOqDeBOMpV",
        "qrFGapGPBkx2fny2AmlJ",
        "laxzoPHB7",
        "9U9h9",
        "gpBgO4vm2vcTyF3Nrgx",
        "vh1QPUGdPU",
        "Initialize",
        "dH`Hc",
        "Ls65GLUommqHfX5H03r",
        "K/yJ7r,D2P[;",
        "FKomUdVlr2tZLVtMCiU",
        "CreateFile",
        "tI4hdDLTP5GchDAVhPf",
        "YG7PIPGEA3De0KUT9md",
        "qwBhYW95S6",
        "rOYUEuSaPQOfrh8rivX",
        "oxsiAVIm6D4S3d8wFc0",
        "D;A4q",
        "Point",
        "set_ShowInTaskbar",
        "Kr8Dr49AV7Km9KsdboP",
        "set_AutoScaleMode",
        "PuQc&",
        "csDCXESMBtpLdbgkOWE",
        "-%yQtf,",
        "VY363cPVIc",
        "dwCxjturoEE7uNtbleP",
        "XPKwIXG4uYpmrW8u8FE8",
        "eK8TbJxzWjSKuXZ7iCf",
        "SBAjsiRQWmx3x7xInyC",
        "gclass15_1",
        "System.Windows.Forms.Form",
        "cf1mDkvMp50NuVTT1Ha",
        "V6wJWmGRUBoiVP6deOjV",
        "FileSize",
        "get_TabPage",
        "i{V+^",
        "fnd|~",
        "nu9rlJGar1QtOlyv49h",
        "atewSuGrzPjhRLNXhuwm",
        "m561xkU1Pg2r3B2WnO1",
        "oMq1afujHC",
        "xuqdlRGx1GErnENBLofq",
        "ColorTranslator",
        "saM>lIOOsEB$",
        "M7A?1",
        "tHUol1DbwCPL03GfaSP",
        "add_ColumnWidthChanging",
        "CCaIcfqpUpFJ5l0IyYA",
        "DeAbpvwQxKsjPA4I5MI",
        "c1AOrpxwKjQxysNhsWl",
        "u:+Bh[",
        "StandardModuleAttribute",
        "E5DxPLGRSUsS0Jmjj7BR",
        "(Yd<lS",
        "QqsgqvGEaxXUGaO66Yiu",
        "p36PopQBbgsksv0j4HU",
        "B8CXB2BVhUW8tSHCvJB",
        "ClnMTdxI3ncwvUpHhr",
        "TD6MBrUvtoLeSx9WJd6",
        "yk1OWCQdO2DOhFDwVqo",
        "mM_7w)",
        "c'I-^",
        "qUMyDSAnoJotnWE50Nv",
        "KF,Kf",
        "gTmPwnQyoLujAMQBoUy",
        "Enumerator",
        "x8bQjW3NsDRkcpotVRT",
        "Xcy0rZdWfYtAGncvGug",
        "get_Items",
        "g7MeHrfE2kxby4vjtLK",
        "TD1txJGLEAvXs0rTivpp",
        "ywQlj(",
        "t0uUY3Gb9lKf8p75jKcU",
        "iH5XV9vnqNPcySt3bek",
        "FecAqD90PU",
        "jDUTyhcWgb",
        "Hot0F0GbyAxw7bFSsZCw",
        "yN973ilxPHIePZ66dEC",
        "Wrm0RQY46XlJPgIuvBL",
        "tgbbsoGleUFMoflZ5KbM",
        "Iq0W5TGxvUnye6cTf3cT",
        "CVt5cgtW9i",
        "HKxqm6trBIHNuLXA47c",
        "5|j_x",
        "z#P[=",
        "Gu86WJPB43bQYcSCW5S",
        "W[(Ri",
        "pR+@T",
        "G1wnxyHm22gaDA6xdSU",
        "ARD0Rw",
        "hXZXP4YImw4kmMkcUqK",
        "label_9",
        "%uleN",
        "9us 91",
        "dKvissHNQZfuxO80oBe",
        "xKsvQNo3ok",
        "X\"(O{H:",
        "OcP{]",
        "wVkCO1HR9W",
        "y0wMafGXn0NqgQpsfVfT",
        "ELF7QfQJSKJoBA8BTxb",
        "get_Index",
        "CJGCI8pQuD",
        "_,gT\\",
        "GWZCalqfpp",
        ":>!&)",
        "gxRx32EbKF",
        "tableName",
        "set_SuppressKeyPress",
        "gdelegate19_1",
        "NKQCjMR13eyjecPtHO9",
        "IPEndPoint",
        "kaP0P6U9xL",
        "sbxFjKlFw9romINNuMh",
        "KQmwYDGMkWhLnkLnwLJc",
        "p(KJ{",
        "s-Q'H",
        "TabControlEx1",
        "q0FKdgGLb53s3oaClucq",
        "MC+?^,",
        "sXM1VO60dNZX7MH91S0",
        "giJRnOSM8D",
        "iK3RRqs1Lq",
        "ListViewSubItemCollection",
        "wpI5q2NVMQ",
        "J3byZh2seDXtlmNTNBr",
        "SvIGkSI4L1j1jFNS8g0",
        "aaXTPWPyToEbWkfJxHv",
        "ebUeQ2HZYHOmvoNpyVl",
        "wo3BPfsxL7",
        "set_SplitterWidth",
        "set_Height",
        "\"\\tHB\\",
        "{q4jL",
        "get_LocalEndPoint",
        "XI8yvUK4TLyyAdlgq3",
        "anGW87G3B3PA0NXAPTN",
        "(`WXC",
        "3I\\v#B",
        "TKR1wjZKAXRdiEN1Ghw",
        "akaqnxGeKSF2uKSkv8o1",
        "yh5C8fGLyh6rHXADZsiG",
        "byte_1",
        "Oc2YljpZ5Gm7iZlOURq",
        "XMXpcTGeN8Z6yMuJZ3qy",
        "cLSaYYXmPjbCo8MBd0X",
        "q9mEt",
        "lj ]3a",
        "dp8TVxG0WDOsqSYwWby",
        "ibuildEventArgs_0",
        "/c<MDD",
        "x%'%%^",
        "AssemblyKeyNameAttribute",
        "TableLayoutColumnStyleCollection",
        "0QOrz",
        "fpSihfgXjr4nwEofSk9",
        "ybCj2UnsTU3M5KrEim2",
        "tXsPeEiGZLAEXc0t1Z6",
        "ThXnKnD75IaD0Jth6N",
        "set_ImageIndex",
        "*/t0v",
        ";sFsV",
        "m\"#uN",
        "S3uofeRj2KCbiRNVGNW",
        "V3S0SXB0nT",
        "\\8T-5",
        "LTeAx4z55We7XG7j2W",
        "}@E2SW",
        "IT4eqxylgt",
        "QrFAJ",
        "nCk5YhRjSL",
        "YN2BoKa48L",
        "HDm3rjxvw1G3R9GVqCI",
        "gdelegate9_1",
        "llmrcbGw2On3ca5DckZW",
        "!This program cannot be run in DOS mode.",
        " PB 5",
        "Insert",
        "hw0oZPbaqI",
        "8#+[F",
        "CdshWJ1fZ8DlLk4Ar6q",
        "jxtbrmi3AMBVYPnfxem",
        "xyS7Z5GbwIdVDy9hXFDG",
        "yf4db5xU8UpaG65g4gM",
        "ul624Vd0U9eBgPUV7pP",
        "fHeup1GwFV1NMc4I2uoD",
        "Buffer",
        "flZtPLuOskv0CUkXutO",
        "tlonWnifSG",
        "&D+UI9]",
        "yG.ha3~f",
        "qKmHS}",
        "UeEagqLWBKeeWokexJ1",
        "z]qZm%-",
        "bYP.3Sy",
        "TabControl",
        "UWyjqhGfzYUVQURi0YHo",
        "gWxqGsecwm",
        "PF6a]",
        "/_W0i",
        "g8vqCsgyn1JuJAPrspL",
        "FLYJt",
        "ERsVPNhzM1vKGVqYPdn",
        "JXmBTK0jek3or2o0cAm",
        "\"htsM",
        "sU2NrXK3EB",
        "AQh5uDZAVbm9rpftFEA",
        "w6NpNEjvtGua7Tmamys",
        "Oe861MmkuBrWhA0vJha",
        "lWVsVBYbabMxUjTTgqY",
        "af3StGGC9V",
        "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">",
        "wZikRGFOYQUJUM36m33",
        "BH3yepJh5kqsDUjyOL5",
        "lNMIj21qpmco5B7W26U",
        "1=Sm2",
        "ql61vGV69v",
        "MZokFG9K685FIVWLl0D",
        "LGxFpEGVDgtSgCuFEGr0",
        "SendMessage_3",
        "LU9m2HGyhBHa4VxN41Ai",
        "xNgyexRifC",
        "gKBjLi4<r_",
        "n}Cek",
        "jaU81?",
        "CancelReason",
        "Hlqq9oGb5ywNLLFtfLBi",
        "SettingEntry",
        "zIw,\"",
        "dj~)r*",
        "XrbnxxpAYl6tmCqLtnr",
        "oamoL2lkoy",
        "khywAjVQJD",
        "YqOXV",
        "MeasureText",
        "xhNo1VTZtNGInPa8E6l",
        "aKSxVnA9qM3wiRs6Rd1",
        "ApT7VOvANfuZvDXeNmu",
        "j8fCUdGYpgxpAnZUANCF",
        "C6FmWrJCuDKAEe2JtJW",
        "SocketOptionLevel",
        "YTsTxmGGmTMYoRIY6nsm",
        "8Caxq/",
        "-d#0B",
        "WxVH{",
        "'Wb.1",
        "ListViewGroupCollection",
        "add_MouseEnter",
        "I\"0@x",
        "AFerb5M3KI",
        "gkqKovTzIpTl7D6th5p",
        "crxbzBQwDt",
        "EE3nfrLqUYtMPu2rjck",
        "MyGQSiGVJULe3goR1ga9",
        "JLwI1Id9dKVnAOm1B5v",
        "YBPa4S8ryJUdpNM8e6P",
        "&fF_|",
        "iOUiGSGe9jb8spU7L5Jj",
        "XctpmnGhMWNawXkXCTVq",
        "aVWvvLGk2MxiuF4IKym",
        "q~#p\"",
        "set_AutomaticDecompression",
        "GXHS4KAAja",
        "nwFvLiymyx",
        "UHVP5mGg8JfVh1S2JTh7",
        "XtRA0aG4Iea0RVkZAdXq",
        "Z=.l#",
        "6Ufd_i",
        "VsOYVaZS8s",
        "SlqIXkAk0tfGi7mRKlF",
        "add_Deselected",
        "1y&]\"",
        "/R#`W",
        "wfCgiKwEIS31oDADZDM",
        "fG8BO2KvW5BAqRvsHq5",
        "Wkq7[CN@e#",
        "kA484XnRoKu7XSJUE21",
        "E31oaQfsL9yTkFhDAN0",
        "QkNO0tIORkuWjdbNEti",
        "columnHeader_3",
        "X42yYNlG8T",
        "BNZZ*",
        "iPKWpq",
        "e0p52c0ZlR7pQUKmRfj",
        "OvjYbv5NkY",
        "GControl9",
        "set_Mode",
        "_Wo@`D",
        "_-WS]l",
        "TPWK4sSbW1yk1i6nmWZ",
        "YnqK3Vk9W6jWPKbfhXb",
        "a'Zd3",
        "veWCdXZJq8",
        "TT)?<",
        "h6rqELLjuh6A6b997px",
        "kv0AilNeaanyy2OiIe3",
        "gDGIwr9c7VmTZi9kKNJ",
        "lzU|7",
        "RSACryptoServiceProvider",
        "~+#J%9",
        "0,N=P",
        "r6q096GZURx5yROBHd3k",
        "      <supportedOS Id=\"{35138b9a-5d96-4fbd-8e2d-a2440225f93a}\"/>",
        "gHhFLBzFDHj9flptlQl",
        "ks1SLDBWjqY9g81g6nB",
        "Aa21UW",
        "c')^%",
        "TSX1pT6Ev2",
        "H2wlTq/",
        "8!4,LPSy|",
        "](V&\\",
        "0[ljf",
        "MOXr6PA9U0",
        "ExecuteScalar",
        "IServerUI",
        "MulticastDelegate",
        "AigxIbo0HFS0VycIKLV",
        "(oQ|G",
        "Ko8YpWR61D",
        "fYMEN3PVjr8tYCGmowY",
        "(Nu-y",
        "i0/c:dH-dP",
        "liGm#",
        "utFrQWXsGLgOaufmmDM",
        "SZWla5mfh99SCCyEQFQ",
        "remove_ItemDrag",
        "/FV+Y",
        "System.Windows.Forms.Layout",
        "0gRZn",
        "method_34",
        "FlushFinalBlock",
        "get_BytesTransferred",
        "SFU4mbT3GMret7THonf",
        "WTkf7osjtbIRcoDqn51",
        "Ggt8cNlma0LubqVlQhx",
        "uqOlUeGGyiaSEumZ6Ry1",
        "get_ExceptionText",
        "XVYJ5",
        "ToolStripItemRenderEventArgs",
        "DownloadString",
        "XUi5mqGY2CoErSaQ5To0",
        ",oiQ\"",
        "9:~pu",
        "YCQ5ZUGKCp5Y05kh7O5e",
        "UulpG1tvXYhxgdadeAL",
        "nKwUUkG4GbuiyFDsiKcT",
        "get_Panel1",
        "LbTxcfFZXA",
        "S `i9",
        "Yf79OcGeAOVwN0ym06Tf",
        "Ua7pS1Lnfg9bNcih2Vm",
        "X3if2Q9SktfSdXRj4uW",
        ":p;A'",
        "XJTxqG4WruNIgoShTEk",
        "sCahOspfKR",
        "E6JjdiJaeyLomaXREWl",
        "vD7qdf17Lv",
        "l\"K/c",
        "GeYyQo3ZGFYmyJGU2xh",
        "hBABdo5XWF",
        "9#8I7",
        "I1C7rfsY3sVMdWsabao",
        "MJrHfxBKZ84SllMOiH8",
        "L<f=xe",
        "NAp3CiGxnJrlACmVvE3",
        "Hq9cDkE0uAqktuSKfUD",
        "Registry",
        "iiGO2ZGRTDgN7oRbhNcE",
        "uPFNogX846",
        "Y2aqcisFja",
        "gMxrkq",
        "j8OHbZD1KnCgoahgc4k",
        "AD4oBhGsFPWUILqZJFD",
        "I5w7+",
        "FlKjsqafuTEtSqJNaqU",
        "yCawqKGMjnLXkPG7U1gt",
        "xgGGjHGggN3M6uWvRTJV",
        "GControl1",
        "iaaw/#",
        "kSbP8HG3CUto6SW8NYOs",
        "XcVrUdb0j7",
        "listViewGroup_0",
        "<dvxu",
        "Cq1YAsRXyhkSffZwxnD",
        "xlMu19Tkikq3UKE5Ld",
        "CreateDatabase",
        "u=-Ws9",
        "StringAlignment",
        "v2bD4gGGRyKYKem7n6lT",
        "ABn?.",
        "pSOG5kGhrWo9VvlAUKU4",
        "Wca5v",
        "qqO09ebCtW",
        "PictureBoxSizeMode",
        "QltNnOUdZAS1OkTvSWH",
        "yxZFmiGm26dGsKeLFsKg",
        "ToolStripItemTextRenderEventArgs",
        "wVpQ72",
        "xD0qwk0cI7",
        "ritiPDvaoi1hpFoXQ8g",
        "DmR1dwW52v",
        "GControl10",
        "D7Y 1@(",
        "IClientUIHost",
        "JMrqCVv4Lt",
        "checkBox_1",
        "IkJnSmGnCKMDnP7f62lH",
        "oeyOlIAhNwDImVe3fEA",
        "WQXvX0GK0Si8qQmpqjvI",
        "EUt2GdGwaUKTVU0RV8jR",
        "BBymSMr6dw1OewoDihu",
        "G8aeP4jdxRlad6WBAqx",
        "GPm0VVgKyB",
        "emFRh5Sblt",
        "A0ZNl7LM0M3nWjDsnhT",
        "U6vvumid5yEtSAZT8U1",
        "JvfyOOmLlc",
        "NavoHumnlIe7gHxbP9M",
        "X2yfGWGIVcWaRvEQrtqs",
        "CbmhmFgg0KKpSVpwiVJ",
        "HF1VlOVQf9fSva9t3YJ",
        "]Vq#-",
        "ResourceManager",
        "Wv<5Y",
        "ReadBlockData",
        "nN=H'j",
        "jgvNsRGygjwSCcNfwYjY",
        "=?eM;",
        "aaPaEtYcZOWXRXValsq",
        "us8x8vBQvl",
        "Bs7w65KwRQqvvjxnIfg",
        "ANI79jikif0qPXooA8b",
        "amRkT9oNG1hNpndv8MF",
        "LUbQyCGnDbnyBPqq4yRc",
        "hEcMUMGgtTnoJ20yiB69",
        "g16yxQ4BAnZSbR8SQPP",
        "RGRaguBe1c7w3PXJMS",
        "kOv8Xirz4Otq1pnXyD9",
        "kDqOi620SO",
        "XD]aO",
        "c6>|'3",
        "pyMtH90wN76AddTYjS6",
        "FQsTMRcLjg",
        "RJd2WLUPnMTtY9MYhV1",
        "0@n-lW",
        "ea2IPYGCaXZTLhWw0J2R",
        "nepXvIGGaKS9vqESgHfA",
        "HoCFEQaZC",
        " -D\"y",
        "soRrP",
        "I3bvDW6GuD",
        "H9ZJCLb90p",
        "ctcXsyULUIA3AwUZMgE",
        "vwHeDl14SqSBElcw2X8",
        "QBIeEga5HF",
        "pNWPixqPLb",
        "pyHHiQsraLbCoheYvuE",
        "iTWKPDQUWIsQ0tH6G8",
        "rfDbs9GKqhDwV0rEGpgP",
        "(9MU=",
        "T[t_$A(=",
        "v^rKd*",
        "jsnjIUlPh7",
        "7+;\"cY",
        "get_Item",
        "ERtLVqdUeYgeuVynYqI",
        "ko'Juu}sY",
        "uVRi5WGX8yg5RUYxpvRw",
        "k6t7bCbOUi1Wkm6Aadm",
        "i6xqgUTsnp",
        "eowU7xFb79kHw309AIo",
        "PpgjSjr70f",
        "AUfyL8XrZ5",
        "Label26",
        "N2Rjv3yVAt3PhMj5eoJ",
        "TableLayoutRowStyleCollection",
        "MGd9QgGNENRskvXUPdRy",
        "ulye4ADdAE6ZS4mHxgT",
        "ylTRFmEtgF",
        ">~<M|,XB",
        "gdelegate3_1",
        "|fC}wR",
        "YRygktGXMyh6WmeVwupl",
        "UK,WH",
        "P:{eB",
        "YLpns4GxFmYgVtnUQH6u",
        "HUZ6YSGkxZqWaIFfD4Vv",
        "%3\"@d",
        "version_0",
        "Obsirf13Nk",
        "get_Group",
        "B8e95iWrRIN00BsQylw",
        "qv1LsdGlKOO6heVcU6xG",
        "5@+?TJ",
        "WfSJlgD6La",
        "C0BOJ9zPjv1HCsmPQUa",
        "MPhuDQGlFubka7agogU3",
        "dSNGxKlkQ1cyni1KOSQ",
        "CPPqPIHUN2",
        "ilt2C9eoA7loctj3I9h",
        "XotOOmlDvA",
        "hfdn0dGPZEwU5In9FbCY",
        "O)~\"\\",
        "set_MaximumSize",
        "x3ZZ6yTIUcsq7BQfVo1",
        "a8RTIEJSTgu0OLGGlyR",
        "FHOO0qGIxllFPmSS8Axv",
        "remove_ColumnReordered",
        "a8llbSxAoTvJ1XEHgi0",
        "eRYYEc4wBt",
        "l:?V1",
        "GHT5fgGrFOoaAhWP2Yg5",
        "TOMOWIGKbPhiiALRA4Eu",
        "AIheaIaGdrlgUbhS9Vb",
        "1I!N7",
        "aGT4FScoEWrlU0MOGkD",
        "m[}h/Vzb",
        "kA2WnseVwk6BM4vreOP",
        "String",
        "vQmCixJXhm",
        "AsCupEIoQIUhwXP2D9b",
        "n6MCMVhYf3RH3ouiTJf",
        "set_SmoothingMode",
        "MUCyh1DrYw4XfF14nyk",
        "image_1",
        "uBZREQ7tSN",
        "C80s6BhuGy8rmAIsjPw",
        "dLXQerGwIro6lOwalyNu",
        "MpSCvCGeEw2XCDREG3tO",
        "i<[=b",
        "R;Yb2",
        "pX0ZkcXNtBDm1NEUVm9",
        "Pr5vbxucfolHyoS4oFw",
        "ofoPmQTUkd2Vxj1vSnB",
        "JHl4gYG4Ww8W17qNTnmU",
        "JPpeW0JRnX",
        "A+.-]",
        "lSCAEkGueu8hpLo5Vmt",
        "sOFctY3JgFyTm59JirA",
        "PYa5r",
        "Lro6orwZ1b63n3Fhm0u",
        "1d_&6?0",
        "fPECQ2ja42x18AQ9b7c",
        "cAsjWGa4xAR8NKJtpmK",
        "H6cve",
        "*]MN`",
        "P@G9L",
        "BavoOAlXpf",
        "$$method0x600002a-2",
        "Tx83D&=1",
        "vnkfvJNzuaBjvhWHMOp",
        "iZSrlPr1tJVVTDcuYo",
        "eEJdPDad8l",
        "RuYf4DG8B5oyEVJyebqG",
        "f$uq?",
        "v$J-U",
        "IEnumerable`1",
        "HepcmqpnfIudCOJFGHx",
        "cj7OJ7eKlMdxaR2MjlH",
        "get_DisplayIndex",
        "ToInt64",
        "Aotn95nCpYestu9PTC",
        "T?<KHUX",
        "Bjrjx9HWqiuZsLuvTnx",
        "omo5pqTpqUtfHraqGYU",
        "ZPP{>5",
        "LDODvawpppieqM7sTs7",
        "v0OqQwpWsvfl7o6qptJ",
        "V(_Z=v",
        "ItemDragEventHandler",
        "vlRnJhkBWB",
        "iqC0F4FKpKF83Wpd6On",
        "y*93[A",
        "WZGTJIkHWI",
        "SoXn'",
        "SdQOuyBcQ6",
        "x7lJ2dZPDSr8G79Kp5",
        "method_45",
        "{kDPn",
        "Ms$.'",
        "duCq6nUd9K",
        "set_ClientSize",
        "CK]9R",
        "Gjk0apUvWJ",
        "BGP5eCSBJr4loGGJUe7",
        "Rhe4Ryo97ZKGZVNQvU1",
        "@eNS7~#",
        "System.IO.Compression",
        "ColumnReorderedEventHandler",
        "S35or00lGjKiZZFEtuO",
        "mNk28OGLxFRaUCdnmNuM",
        "ArwhHRmZC5",
        "BJ/X*",
        "chyEj4bmqvEmeRie0S5",
        "gePHlShyFJfWMjv0VBy",
        "ax3DcXGkEAwpYa6sKRgs",
        "zJIXb",
        "elRvhvGn7ihlj6KUHFOc",
        "gc6343SIGR4mQhE95Yf",
        "k{y'&P",
        "C^m?JG",
        "rCJs4HGEDHB2hJRmvjWQ",
        "lBnHCwTc1a99TGGIAwd",
        "WOYWB6",
        "get_Key",
        "ListViewItemSelectionChangedEventHandler",
        "BpXPxghsTi",
        "dG5DcSt1wqevxMBS8oF",
        "iserverFileTransfer_0",
        "DL\\(m",
        " py7R;",
        "_i ?1",
        "[H%Z\"=",
        "dl1sRfm5wGJiVxZPEAj",
        "N6B6eMbYw6X0ixX63mV",
        "oVvJ8OGyRoGVdXy36ijd",
        "EXbBeJtY2K",
        "xQ5QGA4L1k",
        "POPVBFELBGKyjwH5ycl",
        "e7dLWHG4Kii3OC7qLTs6",
        "iEnT[\\b",
        "o75T5lGhibec2HYlNKD0",
        "R4i2FQtpCufJgv609hy",
        "eJ42Z",
        "E<)_M",
        "w1b092GXCWX5WHbG99tm",
        "@=)I!",
        "6,mC-",
        "ClHJwhiPdhkJT8RhZX7",
        "|ISd*I!-",
        "/]py/y",
        "axM2iB4pwq7sQmKDl0W",
        "eUtUJHG8PKUpV5vxCDMR",
        "plRb>X",
        "acHT9Hri68",
        "BottomRight",
        "W6SbB5G8FVTI2Q5tZ44E",
        "Um8ScPXhftxcpjWjrOt",
        "q0cj5gGYElF9gL6bDKqL",
        "get_Callback",
        "Button7",
        "A79N|",
        "iLoWhnw9VaQuPtuOAbZ",
        "xIBn4TIFAb",
        "z7fwfdbW0p",
        "FoJT2GZ7A4",
        "ToolStripControlHost",
        ";pF\"1H",
        "y\\DI\"I",
        "zTeI4Rl6QJNSaiXfsvQ",
        "omBf68eN5d",
        "Klg/s",
        "set_Minimum",
        "FuVcrbGm5IeG5cgUee7C",
        "iBc/%",
        "AxemHoEOahaJuDhJ8Gm",
        "cYfflBgq8O",
        "QuIYjxLg1yLxww4ClvG",
        "PortManagerPage",
        "aSZGJG59e2kSHPt0oh",
        "DR4IhaUW3",
        "jAnORRyVKU",
        "N#'!;^i*',x",
        "enC8VErXyo5AZHWIMII",
        "GControl4",
        "GClass23",
        "?G|hT",
        "\"PX,U",
        "kZn7SCHGULqAnXP1mLc",
        "c7vdyRG0Ca",
        "sI4w8bUDXZFIvGblKDx",
        "Xb7ORF2iWXvanVBRRoG",
        "KVwVV4OCoB25fN8j6Zy",
        "YQYs^",
        "TETBYqMPWG",
        "iLDb8gXDGN",
        "toolStripMenuItem_2",
        "|sP*@",
        "eQYiqnbCJq",
        "H0oEsbKH19scIN7wrw",
        "AssemblyDelaySignAttribute",
        "get_MainModule",
        "E*E6EIE]EpE",
        "Jo$ -D",
        "+m/0x",
        "RiDDMsGyf23NE9K9UdQS",
        "fR27N",
        "SkHfB7DpINLuKqNJpKi",
        "-( hi",
        "ke7ypLAK1M",
        "bI;q^S",
        "F0T7dxvKha1xngFQFtN",
        "'8-dH",
        "EeffoTGnkxWN4GBcH1KW",
        "Attribute",
        "QFMoZaFjCUOcg92s4kr",
        "Z/Xu_g",
        "s5 SXU|~",
        "lZ8ifMiKGK",
        "method",
        "RV}P`",
        "edaV^",
        "VoHvRxGn9QNB6RuDHYoT",
        "tolZGc9i2klEmfWU0YP",
        "hA_-&",
        "k9PAASGLDWKcthxfnUwD",
        "MEMd7IGRAwaDctOCfYn6",
        "S{$#l",
        "LpCsJfr0BUP6jMSB3iG",
        "mx* R",
        "Mlu4k1aZER5FHrqy8sn",
        "PortManagerAddForm",
        "q5dxBjIhtRTyWoIbCeu",
        "uUcoTCSnqWquIkkx5ZN",
        "set_Image",
        "ServerFileName",
        "PXyxnO5aBdtg257JcuJ",
        "tqSyTjxPeM",
        "LD~?Y",
        "sHfSOALZA2"
      ],
      "virustotal": {
        "error": true,
        "msg": "VT File lookup disabled in processing.conf"
      },
      "executed_tools": [
        "overlay",
        "msi_extract",
        "kixtart_extract",
        "vbe_extract",
        "batch_extract",
        "UnAutoIt_extract",
        "UPX_unpack",
        "RarSFX_extract",
        "Inno_extract",
        "SevenZip_unpack",
        "de4dot_deobfuscate",
        "eziriz_deobfuscate",
        "office_one"
      ],
      "cape_type_code": 0,
      "cape_type": ""
    }
  },
  "procdump": [
    {
      "name": "41aadfb791505cfdbc1cc8cec5346e64c46896a6778c737ead64f384b55d504e",
      "path": "/opt/CAPEv2/storage/analyses/42/procdump/41aadfb791505cfdbc1cc8cec5346e64c46896a6778c737ead64f384b55d504e",
      "guest_paths": "1;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\dw20.exe;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\dw20.exe;?",
      "size": 28672,
      "crc32": "99A06415",
      "md5": "9f49104a3abfa469ef8f494167117b37",
      "sha1": "c79e3f1c0d20218678b9442b044bbe0f63b5abab",
      "sha256": "41aadfb791505cfdbc1cc8cec5346e64c46896a6778c737ead64f384b55d504e",
      "sha512": "d4ff8b3372a203437f783392679189bcd2b04e2616b754c78ea3ca8aa21e5949b7895208377ddebb9c5060c6e3b54e3aa2a77d7ac34cd703cec82db569599ab2",
      "rh_hash": null,
      "ssdeep": "768:bm3EGjuzCMFspRmiuadnC8RGy8NoJIqkKaIgi:afpRLuadCV41aId",
      "type": "PE32 executable (GUI) Intel 80386, for MS Windows",
      "yara": [
        {
          "name": "IsPE32",
          "meta": {},
          "strings": [],
          "addresses": {}
        },
        {
          "name": "IsWindowsGUI",
          "meta": {},
          "strings": [],
          "addresses": {}
        },
        {
          "name": "HasDebugData",
          "meta": {
            "author": "_pusher_",
            "description": "DebugData Check",
            "date": "2016-07"
          },
          "strings": [],
          "addresses": {}
        },
        {
          "name": "HasRichSignature",
          "meta": {
            "author": "_pusher_",
            "description": "Rich Signature Check",
            "date": "2016-07"
          },
          "strings": [
            "Rich"
          ],
          "addresses": {
            "a0": 224
          }
        },
        {
          "name": "Visual_Cpp_2005_Release_Microsoft",
          "meta": {},
          "strings": [
            "{ E8 84 06 00 00 E9 A2 FD FF FF }"
          ],
          "addresses": {
            "a": 16772
          }
        },
        {
          "name": "VC8_Microsoft_Corporation",
          "meta": {},
          "strings": [
            "{ E8 84 06 00 00 E9 A2 FD FF FF }",
            "{ E8 FB FE FF FF E9 DD FF FF FF }",
            "{ E8 EC FE FF FF E9 CE FF FF FF }"
          ],
          "addresses": {
            "a": 17059
          }
        },
        {
          "name": "Microsoft_Visual_Cpp_8",
          "meta": {},
          "strings": [
            "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
            "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
            "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
            "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000",
            "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000",
            "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000",
            "{ 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 1A A6 DC 9E 1A A6 DC 9E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }",
            "{ 00 00 00 00 00 00 02 00 00 00 00 00 00 00 1A A6 DC 9E 1A A6 DC 9E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }",
            "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000",
            "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000",
            "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000",
            "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0006\u0000\u0000",
            "{ E8 84 06 00 00 E9 A2 FD FF FF }"
          ],
          "addresses": {
            "a": 28590,
            "b": 16772
          }
        }
      ],
      "cape_yara": [],
      "clamav": [],
      "tlsh": "T132D23D20774596BBE5B61730F96A92392AFD31226CB6950FA3661F0C3D785C3B438B13",
      "sha3_384": "f523d18a35a3f1bc7c0e8d912f62abb36a772e1d775d78667b69de112e924f3aa2438e213eb65bd3978ad0c7dcfeab02",
      "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d",
      "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
      "pe": {
        "guest_signers": {
          "aux_sha1": null,
          "aux_timestamp": null,
          "aux_valid": false,
          "aux_error": true,
          "aux_error_desc": "No signature found.",
          "aux_signers": []
        },
        "digital_signers": [],
        "imagebase": "0x10000000",
        "entrypoint": "0x00004d84",
        "ep_bytes": "e884060000e9a2fdffffff255c110010",
        "peid_signatures": null,
        "reported_checksum": "0x00013ae9",
        "actual_checksum": "0x00011ce0",
        "osversion": "5.0",
        "machine_type": "IMAGE_FILE_MACHINE_I386",
        "pdbpath": "dw20.pdb",
        "imports": {
          "MSVCR80": {
            "dll": "MSVCR80.dll",
            "imports": [
              {
                "address": "0x100010bc",
                "name": "_crt_debugger_hook"
              },
              {
                "address": "0x100010c0",
                "name": "_controlfp_s"
              },
              {
                "address": "0x100010c4",
                "name": "_invoke_watson"
              },
              {
                "address": "0x100010c8",
                "name": "_decode_pointer"
              },
              {
                "address": "0x100010cc",
                "name": "_onexit"
              },
              {
                "address": "0x100010d0",
                "name": "_lock"
              },
              {
                "address": "0x100010d4",
                "name": "__dllonexit"
              },
              {
                "address": "0x100010d8",
                "name": "_unlock"
              },
              {
                "address": "0x100010dc",
                "name": "_except_handler4_common"
              },
              {
                "address": "0x100010e0",
                "name": "?terminate@@YAXXZ"
              },
              {
                "address": "0x100010e4",
                "name": "__set_app_type"
              },
              {
                "address": "0x100010e8",
                "name": "_encode_pointer"
              },
              {
                "address": "0x100010ec",
                "name": "__p__fmode"
              },
              {
                "address": "0x100010f0",
                "name": "__p__commode"
              },
              {
                "address": "0x100010f4",
                "name": "_adjust_fdiv"
              },
              {
                "address": "0x100010f8",
                "name": "__setusermatherr"
              },
              {
                "address": "0x100010fc",
                "name": "_configthreadlocale"
              },
              {
                "address": "0x10001100",
                "name": "_initterm_e"
              },
              {
                "address": "0x10001104",
                "name": "_initterm"
              },
              {
                "address": "0x10001108",
                "name": "__winitenv"
              },
              {
                "address": "0x1000110c",
                "name": "exit"
              },
              {
                "address": "0x10001110",
                "name": "_XcptFilter"
              },
              {
                "address": "0x10001114",
                "name": "_exit"
              },
              {
                "address": "0x10001118",
                "name": "_cexit"
              },
              {
                "address": "0x1000111c",
                "name": "__wgetmainargs"
              },
              {
                "address": "0x10001120",
                "name": "_amsg_exit"
              },
              {
                "address": "0x10001124",
                "name": "iswspace"
              },
              {
                "address": "0x10001128",
                "name": "memmove"
              },
              {
                "address": "0x1000112c",
                "name": "_vscwprintf"
              },
              {
                "address": "0x10001130",
                "name": "_vsnwprintf_s"
              },
              {
                "address": "0x10001134",
                "name": "_wcsnicmp"
              },
              {
                "address": "0x10001138",
                "name": "??_U@YAPAXI@Z"
              },
              {
                "address": "0x1000113c",
                "name": "??_V@YAXPAX@Z"
              },
              {
                "address": "0x10001140",
                "name": "_wtoi64"
              },
              {
                "address": "0x10001144",
                "name": "??2@YAPAXI@Z"
              },
              {
                "address": "0x10001148",
                "name": "??3@YAXPAX@Z"
              },
              {
                "address": "0x1000114c",
                "name": "memset"
              },
              {
                "address": "0x10001150",
                "name": "wcschr"
              },
              {
                "address": "0x10001154",
                "name": "wcsrchr"
              },
              {
                "address": "0x10001158",
                "name": "_wcsicmp"
              },
              {
                "address": "0x1000115c",
                "name": "__CxxFrameHandler3"
              }
            ]
          },
          "ADVAPI32": {
            "dll": "ADVAPI32.dll",
            "imports": [
              {
                "address": "0x10001000",
                "name": "RegisterEventSourceW"
              },
              {
                "address": "0x10001004",
                "name": "ReportEventW"
              },
              {
                "address": "0x10001008",
                "name": "DeregisterEventSource"
              },
              {
                "address": "0x1000100c",
                "name": "RegOpenKeyExW"
              },
              {
                "address": "0x10001010",
                "name": "RegQueryValueExW"
              },
              {
                "address": "0x10001014",
                "name": "RegCloseKey"
              }
            ]
          },
          "KERNEL32": {
            "dll": "KERNEL32.dll",
            "imports": [
              {
                "address": "0x1000101c",
                "name": "Sleep"
              },
              {
                "address": "0x10001020",
                "name": "ReadProcessMemory"
              },
              {
                "address": "0x10001024",
                "name": "GetTickCount"
              },
              {
                "address": "0x10001028",
                "name": "WaitForMultipleObjects"
              },
              {
                "address": "0x1000102c",
                "name": "GetModuleHandleW"
              },
              {
                "address": "0x10001030",
                "name": "lstrlenA"
              },
              {
                "address": "0x10001034",
                "name": "lstrlenW"
              },
              {
                "address": "0x10001038",
                "name": "GetCommandLineW"
              },
              {
                "address": "0x1000103c",
                "name": "GetSystemDirectoryW"
              },
              {
                "address": "0x10001040",
                "name": "LoadLibraryW"
              },
              {
                "address": "0x10001044",
                "name": "GetProcAddress"
              },
              {
                "address": "0x10001048",
                "name": "CreateThread"
              },
              {
                "address": "0x1000104c",
                "name": "SetThreadStackGuarantee"
              },
              {
                "address": "0x10001050",
                "name": "MapViewOfFile"
              },
              {
                "address": "0x10001054",
                "name": "GetUserDefaultUILanguage"
              },
              {
                "address": "0x10001058",
                "name": "MultiByteToWideChar"
              },
              {
                "address": "0x1000105c",
                "name": "Module32FirstW"
              },
              {
                "address": "0x10001060",
                "name": "CreateToolhelp32Snapshot"
              },
              {
                "address": "0x10001064",
                "name": "GetProcessId"
              },
              {
                "address": "0x10001068",
                "name": "SetEnvironmentVariableW"
              },
              {
                "address": "0x1000106c",
                "name": "GetCurrentProcess"
              },
              {
                "address": "0x10001070",
                "name": "Module32NextW"
              },
              {
                "address": "0x10001074",
                "name": "InterlockedExchange"
              },
              {
                "address": "0x10001078",
                "name": "InterlockedCompareExchange"
              },
              {
                "address": "0x1000107c",
                "name": "SetUnhandledExceptionFilter"
              },
              {
                "address": "0x10001080",
                "name": "QueryPerformanceCounter"
              },
              {
                "address": "0x10001084",
                "name": "GetCurrentThreadId"
              },
              {
                "address": "0x10001088",
                "name": "GetCurrentProcessId"
              },
              {
                "address": "0x1000108c",
                "name": "GetSystemTimeAsFileTime"
              },
              {
                "address": "0x10001090",
                "name": "TerminateProcess"
              },
              {
                "address": "0x10001094",
                "name": "UnhandledExceptionFilter"
              },
              {
                "address": "0x10001098",
                "name": "IsDebuggerPresent"
              },
              {
                "address": "0x1000109c",
                "name": "SetEvent"
              },
              {
                "address": "0x100010a0",
                "name": "GetLastError"
              },
              {
                "address": "0x100010a4",
                "name": "UnmapViewOfFile"
              },
              {
                "address": "0x100010a8",
                "name": "ReleaseMutex"
              },
              {
                "address": "0x100010ac",
                "name": "CloseHandle"
              },
              {
                "address": "0x100010b0",
                "name": "WaitForSingleObject"
              },
              {
                "address": "0x100010b4",
                "name": "OpenThread"
              }
            ]
          },
          "USER32": {
            "dll": "USER32.dll",
            "imports": [
              {
                "address": "0x1000116c",
                "name": "LoadStringW"
              }
            ]
          },
          "VERSION": {
            "dll": "VERSION.dll",
            "imports": [
              {
                "address": "0x10001174",
                "name": "GetFileVersionInfoW"
              },
              {
                "address": "0x10001178",
                "name": "VerQueryValueW"
              },
              {
                "address": "0x1000117c",
                "name": "GetFileVersionInfoSizeW"
              }
            ]
          },
          "PSAPI": {
            "dll": "PSAPI.DLL",
            "imports": [
              {
                "address": "0x10001164",
                "name": "GetModuleFileNameExW"
              }
            ]
          }
        },
        "exported_dll_name": null,
        "exports": [],
        "dirents": [
          {
            "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
            "virtual_address": "0x0000608c",
            "size": "0x0000008c"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
            "virtual_address": "0x00008000",
            "size": "0x00000874"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
            "virtual_address": "0x00006a00",
            "size": "0x000023a8"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
            "virtual_address": "0x000011a0",
            "size": "0x0000001c"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_TLS",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
            "virtual_address": "0x000014c0",
            "size": "0x00000040"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_IAT",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          },
          {
            "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
            "virtual_address": "0x00000000",
            "size": "0x00000000"
          }
        ],
        "sections": [
          {
            "name": ".text",
            "raw_address": "0x00000400",
            "virtual_address": "0x00001000",
            "virtual_size": "0x00006000",
            "size_of_data": "0x00005a00",
            "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
            "characteristics_raw": "0xe0000020",
            "entropy": "6.24"
          },
          {
            "name": ".data",
            "raw_address": "0x00005e00",
            "virtual_address": "0x00007000",
            "virtual_size": "0x00001000",
            "size_of_data": "0x00000600",
            "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
            "characteristics_raw": "0xc0000040",
            "entropy": "0.63"
          },
          {
            "name": ".rsrc",
            "raw_address": "0x00006400",
            "virtual_address": "0x00008000",
            "virtual_size": "0x00001000",
            "size_of_data": "0x00000c00",
            "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
            "characteristics_raw": "0x40000040",
            "entropy": "3.89"
          }
        ],
        "overlay": null,
        "resources": [
          {
            "name": "RT_STRING",
            "offset": "0x00008118",
            "size": "0x00000162",
            "filetype": null,
            "language": "LANG_ENGLISH",
            "sublanguage": "SUBLANG_ENGLISH_US",
            "entropy": "2.90"
          },
          {
            "name": "RT_STRING",
            "offset": "0x0000827c",
            "size": "0x0000006c",
            "filetype": null,
            "language": "LANG_ENGLISH",
            "sublanguage": "SUBLANG_ENGLISH_US",
            "entropy": "2.43"
          },
          {
            "name": "RT_VERSION",
            "offset": "0x000082e8",
            "size": "0x000003c8",
            "filetype": null,
            "language": "LANG_ENGLISH",
            "sublanguage": "SUBLANG_ENGLISH_US",
            "entropy": "3.52"
          },
          {
            "name": "RT_MANIFEST",
            "offset": "0x000086b0",
            "size": "0x000001c1",
            "filetype": null,
            "language": "LANG_ENGLISH",
            "sublanguage": "SUBLANG_ENGLISH_US",
            "entropy": "5.01"
          }
        ],
        "versioninfo": [
          {
            "name": "CompanyName",
            "value": "Microsoft Corporation"
          },
          {
            "name": "FileDescription",
            "value": "Microsoft .NET Error Reporting Shim"
          },
          {
            "name": "FileVersion",
            "value": "2.0.50727.9149 (WinRelRS6.050727-9100)"
          },
          {
            "name": "InternalName",
            "value": "dw20.exe"
          },
          {
            "name": "LegalCopyright",
            "value": "© Microsoft Corporation.  All rights reserved."
          },
          {
            "name": "OriginalFilename",
            "value": "dw20.exe"
          },
          {
            "name": "ProductName",
            "value": "Microsoft® .NET Framework"
          },
          {
            "name": "ProductVersion",
            "value": "2.0.50727.9149"
          },
          {
            "name": "Comments",
            "value": "Flavor=Retail"
          },
          {
            "name": "Translation",
            "value": "0x0409 0x04b0"
          }
        ],
        "imphash": "99c2283e16a84760f7d38eab01642407",
        "timestamp": "2019-10-25 08:48:29",
        "icon": null,
        "icon_hash": null,
        "icon_fuzzy": null,
        "icon_dhash": null,
        "imported_dll_count": 6
      },
      "data": null,
      "strings": [
        "4=ylL=_",
        "unknown",
        "USER32.dll",
        "??_U@YAPAXI@Z",
        "040904B0",
        "Application Name       ",
        "_wcsicmp",
        "MSVCR80.dll",
        "GetCurrentProcess",
        "SetEnvironmentVariableW",
        "CreateThread",
        "ReleaseMutex",
        "__winitenv",
        "Ios[Hos",
        "memset",
        "RegQueryValueExW",
        "\\VarFileInfo\\Translation",
        "RegOpenKeyExW",
        "RegisterEventSourceW",
        "_except_handler4_common",
        "nsgFns=",
        "RegCloseKey",
        "__CxxFrameHandler3",
        "drwtsn32",
        "4=ylH=_",
        "InternalName",
        "PSVW3",
        "_encode_pointer",
        "CloseHandle",
        "MapViewOfFile",
        "KERNEL32.dll",
        "_XcptFilter",
        "Mutex while in notify loop",
        "Fault Module Name      ",
        "__wgetmainargs",
        "??_V@YAXPAX@Z",
        "MultiByteToWideChar",
        "Debugger",
        "ReadProcessMemory",
        "Exception Offset       ",
        "UnmapViewOfFile",
        "moddir",
        "Flavor=Retail",
        "WerReportSetParameter",
        "Module32NextW",
        "Application Timestamp  ",
        "LegalCopyright",
        "VarFileInfo",
        "WerReportCloseHandle",
        "GetCurrentThreadId",
        "LoadLibraryW",
        "appdir",
        "wcsrchr",
        "??3@YAXPAX@Z",
        "CompanyName",
        "_exit",
        "SetUnhandledExceptionFilter",
        "__p__commode",
        "_vscwprintf",
        "WerReportAddDump",
        "FileVersion",
        "Notification handles",
        "GetFileVersionInfoW",
        "SetThreadStackGuarantee",
        "??2@YAPAXI@Z",
        "__dllonexit",
        "__set_app_type",
        "qs JosIqos",
        "_crt_debugger_hook",
        ".text",
        "LoadStringW",
        "wcschr",
        "2.0.50727.9149",
        "GetCommandLineW",
        "StringFileInfo",
        "iswspace",
        "_amsg_exit",
        "GetUserDefaultUILanguage",
        "GetCurrentProcessId",
        "ProductVersion",
        "TerminateProcess",
        "ReportEventW",
        "GetSystemTimeAsFileTime",
        " Microsoft Corporation.  All rights reserved.",
        "FileDescription",
        "_controlfp_s",
        "HtZHu",
        "__p__fmode",
        "WaitForSingleObject",
        "GetModuleHandleW",
        "WerReportAddFile",
        "lstrlenW",
        "GWPCS",
        "APPCRASH",
        ".data",
        ".rsrc",
        "!This program cannot be run in DOS mode.",
        "ADVAPI32.dll",
        "QueryPerformanceCounter",
        "WerReportCreate",
        "SetEvent",
        "DeregisterEventSource",
        "UnhandledExceptionFilter",
        "ProductName",
        "_invoke_watson",
        "_decode_pointer",
        " .NET Framework",
        "_initterm",
        "Application Error",
        "GetSystemDirectoryW",
        "RSDSQF",
        "VERSION.dll",
        "memmove",
        "WaitForMultipleObjects",
        "drwatson",
        "e\\wer.dll",
        "GetFileVersionInfoSizeW",
        "VtAHt",
        "Microsoft .NET Error Reporting Shim",
        "PSAPI.DLL",
        "GetProcAddress",
        "_unlock",
        "FHPj8",
        "GetLastError",
        "__setusermatherr",
        "nsb+ns9 ns",
        "Translation",
        "OriginalFilename",
        "bad allocation",
        "VVVVV",
        "GetProcessId",
        "OpenThread",
        "%General_AppName%",
        "_vsnwprintf_s",
        "2.0.50727.9149 (WinRelRS6.050727-9100)",
        "Fault Module Timestamp ",
        "Application Version    ",
        "?terminate@@YAXXZ",
        "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug",
        "%d.%d.%d.%d",
        "\\StringFileInfo\\%04x%04x\\%s",
        "Exception Code         ",
        "CreateToolhelp32Snapshot",
        "f98t7",
        "VS_VERSION_INFO",
        "_onexit",
        "GetTickCount",
        "dw20.pdb",
        "os Sos",
        "IsDebuggerPresent",
        "f98t.",
        "_lock",
        "Sleep",
        "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><assemblyIdentity version=\"1.0.0.0\" processorArchitecture=\"X86\" name=\"dw20\" type=\"win32\" publicKeyToken=\"000000000000000\"></assemblyIdentity><dependency><dependentAssembly><assemblyIdentity type=\"win32\" name=\"Microsoft.VC80.CRT\" version=\"8.0.50608.0\" processorArchitecture=\"x86\" publicKeyToken=\"1fc8b3b9a1e18e3b\"></assemblyIdentity></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD",
        "Microsoft",
        "InterlockedCompareExchange",
        "dw20.exe",
        "Comments",
        "Module32FirstW",
        "Microsoft Corporation",
        "InterlockedExchange",
        "_wcsnicmp",
        "_configthreadlocale",
        "lstrlenA",
        "GetModuleFileNameExW",
        "WerReportSubmit",
        "Y__^[",
        "4=ylZ=T",
        "_wtoi64",
        "VerQueryValueW",
        "Fault Module Version   ",
        "Stopped working",
        "_adjust_fdiv",
        "_initterm_e",
        "4=Rich^",
        "WerReportSetUIOption",
        "_cexit"
      ],
      "virustotal": {
        "error": true,
        "msg": "VT File lookup disabled in processing.conf"
      },
      "executed_tools": [
        "overlay",
        "msi_extract",
        "kixtart_extract",
        "vbe_extract",
        "batch_extract",
        "UnAutoIt_extract",
        "UPX_unpack",
        "RarSFX_extract",
        "Inno_extract",
        "SevenZip_unpack",
        "de4dot_deobfuscate",
        "eziriz_deobfuscate",
        "office_one"
      ],
      "cape_type_code": 1,
      "cape_type": "",
      "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\dw20.exe",
      "process_name": "dw20.exe",
      "module_path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\dw20.exe",
      "pid": 3832
    }
  ],
  "CAPE": {
    "payloads": [
      {
        "name": "9c5081d0edccacc1efd6579e5076ca888a0cb1ba5e338c4716a471729d425336",
        "path": "/opt/CAPEv2/storage/analyses/42/CAPE/9c5081d0edccacc1efd6579e5076ca888a0cb1ba5e338c4716a471729d425336",
        "guest_paths": "9;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?0x02F70000;?",
        "size": 21,
        "crc32": "B0B5AEF7",
        "md5": "7e3fd3b1c52ef864300309a100f326b3",
        "sha1": "6743e47f4195b3f003b895af8299603b447b8f9e",
        "sha256": "9c5081d0edccacc1efd6579e5076ca888a0cb1ba5e338c4716a471729d425336",
        "sha512": "5b4972750837f9dec646ea86d72c3853d94ea80cab133ef8cf3e7528be3c6793144277c5c3e2d4eea4bf58afc6cb8650f5d71a345bf4ea09572ca7185286d9fa",
        "rh_hash": null,
        "ssdeep": "3:pSl3+:8U",
        "type": "data",
        "yara": [],
        "cape_yara": [],
        "clamav": [],
        "tlsh": null,
        "sha3_384": "fde328ba1bae94265af3aabe140505d595db1b11ada2b334b00c919ff3b85ba862b8dfd92ff880f4fdeefa928f9a9bf9",
        "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d",
        "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
        "data": null,
        "strings": [],
        "virustotal": {
          "error": true,
          "msg": "VT File lookup disabled in processing.conf"
        },
        "executed_tools": [
          "overlay",
          "msi_extract",
          "kixtart_extract",
          "vbe_extract",
          "batch_extract",
          "UnAutoIt_extract",
          "UPX_unpack",
          "RarSFX_extract",
          "Inno_extract",
          "SevenZip_unpack",
          "de4dot_deobfuscate",
          "eziriz_deobfuscate",
          "office_one"
        ],
        "cape_type_code": 9,
        "cape_type": "Unpacked Shellcode",
        "process_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "process_name": "NanoCore.exe",
        "module_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "pid": 7684,
        "virtual_address": "0x02F70000"
      },
      {
        "name": "263a6494a70b1f92ad33ea287eccd6e216498a709c6a5719167942e06d329d8d",
        "path": "/opt/CAPEv2/storage/analyses/42/CAPE/263a6494a70b1f92ad33ea287eccd6e216498a709c6a5719167942e06d329d8d",
        "guest_paths": "9;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?0x07EC0000;?",
        "size": 844,
        "crc32": "63E1CB5B",
        "md5": "980f50f12e31562ce740375eb3d309c4",
        "sha1": "087ee96d860c053a2da4d55852d1bb10829f67a0",
        "sha256": "263a6494a70b1f92ad33ea287eccd6e216498a709c6a5719167942e06d329d8d",
        "sha512": "847b93f2b5e89b3a6c20f152b4409e3b00a07768bfbbb8733c10c7db079db551e68275a1a8b199c503a38616d8073d4a239d1f8cf9ff5e46d3cef68091f1617f",
        "rh_hash": null,
        "ssdeep": "12:Xkow+u/IxNpuiZATjGDwhGRkRSl4RlGjw0o2u/4KpWLZVfIhLli+u/QtocwuRTlB:X1uPhTiD6GR9l4TGjWwz9JBoaIE0n",
        "type": "Windows boot log, header size 0x7ec0000, 0x1 valid bytes",
        "yara": [],
        "cape_yara": [],
        "clamav": [],
        "tlsh": "T1ED01BD4F1BC450A5CC88D0FB5569E387EA1D827A6252A5B5DA6C72B0263CAE4249D072",
        "sha3_384": "8ca96ce8c78cb93cbd0cfe27075dcf285892d2579f20e22bd070937d59e7e33732c5e2658b9a060959420b5846193a28",
        "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d",
        "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
        "data": null,
        "strings": [
          "kXPRV",
          "Pj0h|",
          "8~sUSVW",
          "PRh`9~sUSVW"
        ],
        "virustotal": {
          "error": true,
          "msg": "VT File lookup disabled in processing.conf"
        },
        "executed_tools": [
          "overlay",
          "msi_extract",
          "kixtart_extract",
          "vbe_extract",
          "batch_extract",
          "UnAutoIt_extract",
          "UPX_unpack",
          "RarSFX_extract",
          "Inno_extract",
          "SevenZip_unpack",
          "de4dot_deobfuscate",
          "eziriz_deobfuscate",
          "office_one"
        ],
        "cape_type_code": 9,
        "cape_type": "Unpacked Shellcode",
        "process_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "process_name": "NanoCore.exe",
        "module_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "pid": 7684,
        "virtual_address": "0x07EC0000"
      },
      {
        "name": "492405dd52974c0a6af2eecee33f3534ca32947fc3f0358a3e283886c9e89acc",
        "path": "/opt/CAPEv2/storage/analyses/42/CAPE/492405dd52974c0a6af2eecee33f3534ca32947fc3f0358a3e283886c9e89acc",
        "guest_paths": "9;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?0x08020000;?",
        "size": 825,
        "crc32": "A06F2E76",
        "md5": "22da360861bfd4848de36bd865ef5a48",
        "sha1": "b4b39e5945d1a0be2c58d20b83f0175257e21473",
        "sha256": "492405dd52974c0a6af2eecee33f3534ca32947fc3f0358a3e283886c9e89acc",
        "sha512": "298331a1a5f4b3acae090640d2d767853f0c0fc806d5aadd3ca76db50d5d523891e17b47957106f655603e35974b4169d980e412181d815e80c7d936c5025fed",
        "rh_hash": null,
        "ssdeep": "12:HFwQlvrnQ9CJECIgXSecd/s8XLfxBL384Yv7NktCr2LocUs3QmvEPRG:1v/pI+6/3XT78HWgKLyTmas",
        "type": "Matlab v4 mat-file (little endian) \\230\\3370\\001\\, numeric, rows 134348800, columns 65536, imaginary (1)",
        "yara": [],
        "cape_yara": [],
        "clamav": [],
        "tlsh": "T147012083DB17A4B6D04B62F00162FBB2E5B59D46253F0F8823BA9DD03C7802553C66C1",
        "sha3_384": "c86cf165fc05de9e2fa016ee73db40f6d69409d14a4550122c8342d4991d07d1925d91ed7dbc19554d06a0b79b3c1d2b",
        "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d",
        "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
        "data": null,
        "strings": [],
        "virustotal": {
          "error": true,
          "msg": "VT File lookup disabled in processing.conf"
        },
        "executed_tools": [
          "overlay",
          "msi_extract",
          "kixtart_extract",
          "vbe_extract",
          "batch_extract",
          "UnAutoIt_extract",
          "UPX_unpack",
          "RarSFX_extract",
          "Inno_extract",
          "SevenZip_unpack",
          "de4dot_deobfuscate",
          "eziriz_deobfuscate",
          "office_one"
        ],
        "cape_type_code": 9,
        "cape_type": "Unpacked Shellcode",
        "process_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "process_name": "NanoCore.exe",
        "module_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "pid": 7684,
        "virtual_address": "0x08020000"
      },
      {
        "name": "cb8b0403fbdc0da56c6e048cecba3ba5f7a294d4afdc2ea5b42584c27a264e82",
        "path": "/opt/CAPEv2/storage/analyses/42/CAPE/cb8b0403fbdc0da56c6e048cecba3ba5f7a294d4afdc2ea5b42584c27a264e82",
        "guest_paths": "9;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?0x00B10000;?",
        "size": 536,
        "crc32": "77C338CA",
        "md5": "f905cd35858da9305a541be9b5693cc0",
        "sha1": "4e059e428b6b1de25fdaf7829cda1404dce8821c",
        "sha256": "cb8b0403fbdc0da56c6e048cecba3ba5f7a294d4afdc2ea5b42584c27a264e82",
        "sha512": "2c93a697349b0f54842f733bb8de3f716ec56f1841d9c9d302dad37d2d9013a8038ffb06a02c12adee0dbdfa6fe22dd846ccaa6013f92757a5886a080b373ed3",
        "rh_hash": null,
        "ssdeep": "6:idqGVg3F+X32QlwXo2ONs02//ad7/iH9cq4/Id5:etGSGQlwXo26WXadzHj25",
        "type": "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows",
        "yara": [
          {
            "name": "IsPE32",
            "meta": {},
            "strings": [],
            "addresses": {}
          },
          {
            "name": "IsWindowsGUI",
            "meta": {},
            "strings": [],
            "addresses": {}
          },
          {
            "name": "IsBeyondImageSize",
            "meta": {
              "author": "_pusher_",
              "date": "2016-07",
              "description": "Data Beyond ImageSize Check"
            },
            "strings": [],
            "addresses": {}
          }
        ],
        "cape_yara": [],
        "clamav": [],
        "tlsh": "T183F0C283BBA458BBC028037A4283AD4831BE1B380F61910B0EA0113F786216455B97C0",
        "sha3_384": "1de05cbc9d03ea5327545b7b78cf8c772b4ee8bd73ccb7d20b602f7fd9a2b36b9b00d37f0148cf2c81f04560c50464ec",
        "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d",
        "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
        "pe": {
          "guest_signers": {
            "aux_sha1": null,
            "aux_timestamp": null,
            "aux_valid": false,
            "aux_error": true,
            "aux_error_desc": "No signature found.",
            "aux_signers": []
          },
          "digital_signers": [],
          "imagebase": "0x00400000",
          "entrypoint": "0x0015d0ce",
          "ep_bytes": "",
          "peid_signatures": null,
          "reported_checksum": "0x00000000",
          "actual_checksum": "0x0000a872",
          "osversion": "4.0",
          "machine_type": "IMAGE_FILE_MACHINE_I386",
          "pdbpath": null,
          "imports": {},
          "exported_dll_name": null,
          "exports": [],
          "dirents": [
            {
              "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
              "virtual_address": "0x00000000",
              "size": "0x00000000"
            },
            {
              "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
              "virtual_address": "0x0015d080",
              "size": "0x0000004b"
            },
            {
              "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
              "virtual_address": "0x00160000",
              "size": "0x000049d8"
            },
            {
              "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
              "virtual_address": "0x00000000",
              "size": "0x00000000"
            },
            {
              "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
              "virtual_address": "0x00000000",
              "size": "0x00000000"
            },
            {
              "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
              "virtual_address": "0x00166000",
              "size": "0x0000000c"
            },
            {
              "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
              "virtual_address": "0x00000000",
              "size": "0x00000000"
            },
            {
              "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
              "virtual_address": "0x00000000",
              "size": "0x00000000"
            },
            {
              "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
              "virtual_address": "0x00000000",
              "size": "0x00000000"
            },
            {
              "name": "IMAGE_DIRECTORY_ENTRY_TLS",
              "virtual_address": "0x00000000",
              "size": "0x00000000"
            },
            {
              "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
              "virtual_address": "0x00000000",
              "size": "0x00000000"
            },
            {
              "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
              "virtual_address": "0x00000000",
              "size": "0x00000000"
            },
            {
              "name": "IMAGE_DIRECTORY_ENTRY_IAT",
              "virtual_address": "0x00002000",
              "size": "0x00000008"
            },
            {
              "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
              "virtual_address": "0x00000000",
              "size": "0x00000000"
            },
            {
              "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
              "virtual_address": "0x00002008",
              "size": "0x00000048"
            }
          ],
          "sections": [
            {
              "name": ".text",
              "raw_address": "0x00000400",
              "virtual_address": "0x00002000",
              "virtual_size": "0x0015b0d4",
              "size_of_data": "0x0015b200",
              "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
              "characteristics_raw": "0x60000020",
              "entropy": "0.00"
            },
            {
              "name": ".sdata",
              "raw_address": "0x0015b600",
              "virtual_address": "0x0015e000",
              "virtual_size": "0x000001e8",
              "size_of_data": "0x00000200",
              "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
              "characteristics_raw": "0xc0000040",
              "entropy": "0.00"
            },
            {
              "name": ".rsrc",
              "raw_address": "0x0015b800",
              "virtual_address": "0x00160000",
              "virtual_size": "0x000049d8",
              "size_of_data": "0x00004a00",
              "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
              "characteristics_raw": "0x40000040",
              "entropy": "0.00"
            },
            {
              "name": ".reloc",
              "raw_address": "0x00160200",
              "virtual_address": "0x00166000",
              "virtual_size": "0x0000000c",
              "size_of_data": "0x00000200",
              "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
              "characteristics_raw": "0x42000040",
              "entropy": "0.00"
            }
          ],
          "overlay": {
            "offset": "0x00000178",
            "size": "0x000000a0"
          },
          "resources": [],
          "versioninfo": [],
          "imphash": "",
          "timestamp": "2015-07-01 07:55:53",
          "icon": null,
          "icon_hash": null,
          "icon_fuzzy": null,
          "icon_dhash": null
        },
        "data": null,
        "strings": [
          "!This program cannot be run in DOS mode.",
          "`.sdata",
          "@.reloc",
          ".rsrc",
          ".text"
        ],
        "virustotal": {
          "error": true,
          "msg": "VT File lookup disabled in processing.conf"
        },
        "executed_tools": [
          "overlay",
          "msi_extract",
          "kixtart_extract",
          "vbe_extract",
          "batch_extract",
          "UnAutoIt_extract",
          "UPX_unpack",
          "RarSFX_extract",
          "Inno_extract",
          "SevenZip_unpack",
          "de4dot_deobfuscate",
          "eziriz_deobfuscate",
          "office_one"
        ],
        "selfextract": {
          "overlay": {
            "extracted_files": [
              {
                "name": "a67d08b6d561773840fdb8bcacdde7ba2ad7a8446cebdd9dc7416ae978dbdd70",
                "path": "/opt/CAPEv2/storage/analyses/42/selfextracted/a67d08b6d561773840fdb8bcacdde7ba2ad7a8446cebdd9dc7416ae978dbdd70",
                "guest_paths": [
                  "overlay"
                ],
                "size": 160,
                "crc32": "622436FF",
                "md5": "e3d4837cce811d8db6381c974df0f481",
                "sha1": "591c840e17f916509796475cb53422ff3de02d59",
                "sha256": "a67d08b6d561773840fdb8bcacdde7ba2ad7a8446cebdd9dc7416ae978dbdd70",
                "sha512": "52b03fdc5019a1095fcd6d7d16b1760f4085acb8aaaccd21150bcde65a22aca0267c5727cf135be3347ad361b90a90893b4d2df3808132b2469da0cb906b9fca",
                "rh_hash": null,
                "ssdeep": "3:ilf7/lllltFiCEFEIlSlJZ/8le/7cdFx//1:id7/iH9cq4/Id5",
                "type": "data",
                "yara": [],
                "cape_yara": [],
                "clamav": [],
                "tlsh": "T16EC012937B611123C411067980C2250475BC53301D25204F4D651061346015068B63C0",
                "sha3_384": "0398033c0dd80a0e094b9c2893036061247fc347aed550596f0077a0b3f15cfec391fc6b691dfea9f21cabea7f96568d",
                "data": null
              }
            ],
            "extracted_files_time": 0.0023010169970802963,
            "password": ""
          }
        },
        "cape_type_code": 9,
        "cape_type": "Unpacked Shellcode: 32-bit executable",
        "process_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "process_name": "NanoCore.exe",
        "module_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "pid": 7684,
        "virtual_address": "0x00B10000"
      },
      {
        "name": "064ec728231780bebf305dc752c6dbeca6cb311f53dec5a57657cd7d5a42f2a9",
        "path": "/opt/CAPEv2/storage/analyses/42/CAPE/064ec728231780bebf305dc752c6dbeca6cb311f53dec5a57657cd7d5a42f2a9",
        "guest_paths": "9;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?0x7F550000;?",
        "size": 44,
        "crc32": "DF43BF57",
        "md5": "323fa4ac3cfca4d00ad5d478a70b0b22",
        "sha1": "600b38be261cc37e2344ce5bc57cd6ad69ed832e",
        "sha256": "064ec728231780bebf305dc752c6dbeca6cb311f53dec5a57657cd7d5a42f2a9",
        "sha512": "a6d9742460b7a6fc3ecb27812092ae9ec34163e26ca85d4b538a39b4b2ccdbdb49c72128110ad2a3bb2978844ec655dba2cca4e6445dbd798ff572545663077d",
        "rh_hash": null,
        "ssdeep": "3:Uaql/stl+ClrxlvLlXf:UF/sX+mXv5",
        "type": "data",
        "yara": [],
        "cape_yara": [],
        "clamav": [],
        "tlsh": null,
        "sha3_384": "2f0992b7985ab64371a06839435ae2b63c8fc37f942a8547ed9636ee8919ef42cbae60d64ce51659a671f2c0df229989",
        "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d",
        "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
        "data": null,
        "strings": [],
        "virustotal": {
          "error": true,
          "msg": "VT File lookup disabled in processing.conf"
        },
        "executed_tools": [
          "overlay",
          "msi_extract",
          "kixtart_extract",
          "vbe_extract",
          "batch_extract",
          "UnAutoIt_extract",
          "UPX_unpack",
          "RarSFX_extract",
          "Inno_extract",
          "SevenZip_unpack",
          "de4dot_deobfuscate",
          "eziriz_deobfuscate",
          "office_one"
        ],
        "cape_type_code": 9,
        "cape_type": "Unpacked Shellcode",
        "process_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "process_name": "NanoCore.exe",
        "module_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "pid": 7684,
        "virtual_address": "0x7F550000"
      },
      {
        "name": "cc1ac7194daa2648e44bdd561a682e0e9ed3c808978b881348f8a4080d151f19",
        "path": "/opt/CAPEv2/storage/analyses/42/CAPE/cc1ac7194daa2648e44bdd561a682e0e9ed3c808978b881348f8a4080d151f19",
        "guest_paths": "9;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?0x02F6A000;?",
        "size": 534,
        "crc32": "F3DF47EB",
        "md5": "9558ae86d97d54270b214e5cbcc7e469",
        "sha1": "0dc551d1dd604c43b7a3c22f6549aad025420a7b",
        "sha256": "cc1ac7194daa2648e44bdd561a682e0e9ed3c808978b881348f8a4080d151f19",
        "sha512": "0690414acb747b97cbab0417ac1f4395238c65b4f50e17baa24699a97b8aa1e2af49fe1bc5ca4b8957c0ef6610842a253c1eb579a771b0a9a99de7fce931f4c0",
        "rh_hash": null,
        "ssdeep": "6:7x3lOIGYUi5phKp9lM/gAEHsQsYHo2l1aB3LXXlM252VgbPo2lM/q8unKpWArY6m:7FXG9u/WBf1G3TlM204Po2u/4KpWdZk4",
        "type": "Matlab v4 mat-file (little endian) 3, numeric, rows 49717248, columns 8192",
        "yara": [],
        "cape_yara": [],
        "clamav": [],
        "tlsh": "T1E3F09E17070080F6DC58D6FA0A6EE7DBEE8D112D61E0A685CF2CE07325362E4A021111",
        "sha3_384": "e1cd875aedd80f4e2e149a15023529abd92fd23a808d867037b4e084b85415bd93779bda434470ede38a4726a6efbf45",
        "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d",
        "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
        "data": null,
        "strings": [
          "~sUSVW",
          "PRh`9~sUSVW",
          "PRhX<~sUSVW"
        ],
        "virustotal": {
          "error": true,
          "msg": "VT File lookup disabled in processing.conf"
        },
        "executed_tools": [
          "overlay",
          "msi_extract",
          "kixtart_extract",
          "vbe_extract",
          "batch_extract",
          "UnAutoIt_extract",
          "UPX_unpack",
          "RarSFX_extract",
          "Inno_extract",
          "SevenZip_unpack",
          "de4dot_deobfuscate",
          "eziriz_deobfuscate",
          "office_one"
        ],
        "cape_type_code": 9,
        "cape_type": "Unpacked Shellcode",
        "process_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "process_name": "NanoCore.exe",
        "module_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "pid": 7684,
        "virtual_address": "0x02F6A000"
      },
      {
        "name": "d9a05b5e933480cb3a0a75e9adf8cbc2c8f30ab0308ace4f6da94281910a9880",
        "path": "/opt/CAPEv2/storage/analyses/42/CAPE/d9a05b5e933480cb3a0a75e9adf8cbc2c8f30ab0308ace4f6da94281910a9880",
        "guest_paths": "9;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?0x07C60000;?",
        "size": 823,
        "crc32": "81EDBB10",
        "md5": "b1813a782b6c965c53bf836d792273b8",
        "sha1": "69cb3f99a847ddd904540d337140879de3ea0acd",
        "sha256": "d9a05b5e933480cb3a0a75e9adf8cbc2c8f30ab0308ace4f6da94281910a9880",
        "sha512": "0902d0d6f5f45c84d6da50d95e9ebcbc78e2098cb2fd9ff053270edd6222aa41f134a8a573ecc0b1944d19417742c3a4f79936a5b0bc20155abfc53d6a6b0d2f",
        "rh_hash": null,
        "ssdeep": "12:OuBKJEDX9RbBu3bIKtn1lfg4dsAs6ZTPIS2iU8i4HI9n1gVawlPPaRBKMZ/L1Q:NoETrB+8Kd1lflVv9i4uywwURQ",
        "type": "Windows boot log, header size 0x7c60000, 0x1 valid bytes",
        "yara": [],
        "cape_yara": [],
        "clamav": [],
        "tlsh": "T16B0149A415DBE7FED644EC389484C0F83969D917519DCBC65AD668ECD806C35700225D",
        "sha3_384": "ce0e1e7d531b8ea01a8976a7476ab6bfd3f33ac70ed3784673298b7dd013d987b3b6cb2fb83210c0e124b82deb13ab7b",
        "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d",
        "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
        "data": null,
        "strings": [
          ";7`k]"
        ],
        "virustotal": {
          "error": true,
          "msg": "VT File lookup disabled in processing.conf"
        },
        "executed_tools": [
          "overlay",
          "msi_extract",
          "kixtart_extract",
          "vbe_extract",
          "batch_extract",
          "UnAutoIt_extract",
          "UPX_unpack",
          "RarSFX_extract",
          "Inno_extract",
          "SevenZip_unpack",
          "de4dot_deobfuscate",
          "eziriz_deobfuscate",
          "office_one"
        ],
        "cape_type_code": 9,
        "cape_type": "Unpacked Shellcode",
        "process_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "process_name": "NanoCore.exe",
        "module_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "pid": 7684,
        "virtual_address": "0x07C60000"
      },
      {
        "name": "fdc26f772969ee511a5d7efb14854e93192cc93a5a5a06677795c676b7b02b91",
        "path": "/opt/CAPEv2/storage/analyses/42/CAPE/fdc26f772969ee511a5d7efb14854e93192cc93a5a5a06677795c676b7b02b91",
        "guest_paths": "9;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?0x05730000;?",
        "size": 4094,
        "crc32": "126EAF48",
        "md5": "fc150ad0e2720e84eb59e44730595b4b",
        "sha1": "dfa7a10c0446078a6f87a04edbe069e8f6b35795",
        "sha256": "fdc26f772969ee511a5d7efb14854e93192cc93a5a5a06677795c676b7b02b91",
        "sha512": "786701a4832c86f290a1621085eb6784ea1ea5205237c8a5a24450afe9776a421db12d84e9cdc9834825b926cd1335e6e52a49c644e4e8b3b6c0f2238a1ddefa",
        "rh_hash": null,
        "ssdeep": "12:H8CvZsjnZR26YCwEO7hwgfttBtpQux3KoyKbN3s5fIn4D5H3Z51H:H8SqnZRwCi7tvx3HRbMfI2F3H1H",
        "type": "DOS executable (COM), start instruction 0xeb4a5b84 2a4c0001",
        "yara": [],
        "cape_yara": [],
        "clamav": [],
        "tlsh": "T19281FEDC9E00866CCC17D6313D3E0B12181DC3CAA5847E884D4C97A30D3A66435F1714",
        "sha3_384": "fb0dc91e6d355c1c24425e83e7670a6322549375a075762df28ab1415cc7cb5154f94615296e7e9c6d7292dbc5f7287e",
        "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d",
        "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
        "data": null,
        "strings": [
          "<~sUSVW",
          ";~sUSVW",
          "PPPPPhZ"
        ],
        "virustotal": {
          "error": true,
          "msg": "VT File lookup disabled in processing.conf"
        },
        "executed_tools": [
          "overlay",
          "msi_extract",
          "kixtart_extract",
          "vbe_extract",
          "batch_extract",
          "UnAutoIt_extract",
          "UPX_unpack",
          "RarSFX_extract",
          "Inno_extract",
          "SevenZip_unpack",
          "de4dot_deobfuscate",
          "eziriz_deobfuscate",
          "office_one"
        ],
        "cape_type_code": 9,
        "cape_type": "Unpacked Shellcode",
        "process_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "process_name": "NanoCore.exe",
        "module_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "pid": 7684,
        "virtual_address": "0x05730000"
      },
      {
        "name": "fffd2718e42793784f270c7cf9e47d11004eb3eebfe45efc1e8a52c87ea86373",
        "path": "/opt/CAPEv2/storage/analyses/42/CAPE/fffd2718e42793784f270c7cf9e47d11004eb3eebfe45efc1e8a52c87ea86373",
        "guest_paths": "9;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?0x08290000;?",
        "size": 15341,
        "crc32": "1D98DC48",
        "md5": "74eebdae7abe3cf3319591eb98b7d844",
        "sha1": "aff81561ff45f8e016c5e73bd70e59cfd19a85b0",
        "sha256": "fffd2718e42793784f270c7cf9e47d11004eb3eebfe45efc1e8a52c87ea86373",
        "sha512": "564bb330ef833f6894dcc7f1610d5afd8e604b8479b85daad0d40ca9fa9c2be85fa789858e458b5ab9ece6391adc4eba8c3c0fd23ca5c15473ae66a35b0a4ec2",
        "rh_hash": null,
        "ssdeep": "384:N195uEofViSnbUQUbP22SpaboZk9maiG1buVVvreMfQLZzXJc:d8NWNmQtiObWXQA",
        "type": "Matlab v4 mat-file (little endian) \\230\\3360\\001\\, numeric, rows 136904704, columns 65536, imaginary (1)",
        "yara": [],
        "cape_yara": [],
        "clamav": [],
        "tlsh": "T12B624E208771E777C62A65B27F4E8ABD0431AE36D841C0AAF4562F7AF13C6E49980357",
        "sha3_384": "7277b13162173e0821f05d2f855456b751ef7f1d9bd519ca7935ac1da003ea2da955d3ec51299a7e7d7a281fc0601688",
        "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d",
        "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
        "data": null,
        "strings": [],
        "virustotal": {
          "error": true,
          "msg": "VT File lookup disabled in processing.conf"
        },
        "executed_tools": [
          "overlay",
          "msi_extract",
          "kixtart_extract",
          "vbe_extract",
          "batch_extract",
          "UnAutoIt_extract",
          "UPX_unpack",
          "RarSFX_extract",
          "Inno_extract",
          "SevenZip_unpack",
          "de4dot_deobfuscate",
          "eziriz_deobfuscate",
          "office_one"
        ],
        "cape_type_code": 9,
        "cape_type": "Unpacked Shellcode",
        "process_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "process_name": "NanoCore.exe",
        "module_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "pid": 7684,
        "virtual_address": "0x08290000"
      },
      {
        "name": "05f88a29590f0789f1239f3d205c6799ff3f18dbfcf11b69b7f97ab2ca399056",
        "path": "/opt/CAPEv2/storage/analyses/42/CAPE/05f88a29590f0789f1239f3d205c6799ff3f18dbfcf11b69b7f97ab2ca399056",
        "guest_paths": "9;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?0x09EE0000;?",
        "size": 2141,
        "crc32": "32DCBD98",
        "md5": "22eac65ac942b1bcd910c4ff589ab917",
        "sha1": "8c38b90e94298131e8a0c0b01cbb29c5b01515f8",
        "sha256": "05f88a29590f0789f1239f3d205c6799ff3f18dbfcf11b69b7f97ab2ca399056",
        "sha512": "c6b5c13616cb9cded1a2a196b011fb5da9192f0a1a95f37c43c80d7ca5b874d5c453cee16c394961e27442a1a0dab08e19a22f9249e8cd22fafaa53791200eb8",
        "rh_hash": null,
        "ssdeep": "12:F8las0OJ+SgjG2qXae0bCS23Wa4TOLxiNYZaYb7gVOPlxE4OGloiP4nXLCM7qbqr:F8la++SKqIbCbWanxJAYbc8dFZAT7qQn",
        "type": "data",
        "yara": [],
        "cape_yara": [],
        "clamav": [],
        "tlsh": "T18A410226E1386250C0115A3F9F67872043519D1B5542DBAE4308FD7D9DD25B811E62CC",
        "sha3_384": "3d673b4b3b66c0a0cee09dc602b25d005784d72c52ccfb9d3b6558cf5293efdd27d189877c6ca34bfd53ca47da5a256a",
        "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d",
        "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
        "data": null,
        "strings": [
          "! #!%\"'#)$+%-&/'1(3)5*7+9,;-=.?/A0E1I2M3Q4U5Y6]7a8e9i:m;q<u=y>}?"
        ],
        "virustotal": {
          "error": true,
          "msg": "VT File lookup disabled in processing.conf"
        },
        "executed_tools": [
          "overlay",
          "msi_extract",
          "kixtart_extract",
          "vbe_extract",
          "batch_extract",
          "UnAutoIt_extract",
          "UPX_unpack",
          "RarSFX_extract",
          "Inno_extract",
          "SevenZip_unpack",
          "de4dot_deobfuscate",
          "eziriz_deobfuscate",
          "office_one"
        ],
        "cape_type_code": 9,
        "cape_type": "Unpacked Shellcode",
        "process_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "process_name": "NanoCore.exe",
        "module_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "pid": 7684,
        "virtual_address": "0x09EE0000"
      },
      {
        "name": "0b9c693217bdc314aa3dbf7363ef6ae8d0c4104a4e3b3ce52602eb1224e7c260",
        "path": "/opt/CAPEv2/storage/analyses/42/CAPE/0b9c693217bdc314aa3dbf7363ef6ae8d0c4104a4e3b3ce52602eb1224e7c260",
        "guest_paths": "9;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe;?0x05730000;?",
        "size": 8190,
        "crc32": "4BCBC51D",
        "md5": "daa146b7b35ae2c9b1dee8268ecd760f",
        "sha1": "b71938b16b52251588724be25b6b9122b8132345",
        "sha256": "0b9c693217bdc314aa3dbf7363ef6ae8d0c4104a4e3b3ce52602eb1224e7c260",
        "sha512": "e712fd1b9cee2489141f418b6c28dacd45b77a123e304ea30cbe1e49d30fd5f8cea92de6f5309400aa0b2fd6d0927c9e51eb8f17dffbac10a816cd5622cb367c",
        "rh_hash": null,
        "ssdeep": "48:xj7XBs3NNk03K2h2jpa0wq1P2HkWOXOGbjSbS3v:x/xJ03bh2jpaY1P2HRbS3v",
        "type": "DOS executable (COM), start instruction 0xeb4a5b84 2a4c0001",
        "yara": [],
        "cape_yara": [],
        "clamav": [],
        "tlsh": "T136F151C4DF218125E01FD731388E0320E72CE2A99368794DCE44C5B73D362F27A97508",
        "sha3_384": "ecef52918b7360439a4a8460151aeffbf51523c83adf6e34184d1f3505330d05c774a8f05703cd55340e1a9a27cb663d",
        "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d",
        "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
        "data": null,
        "strings": [
          "^J[1)L",
          ";~sUSVW",
          "PPPPPhZ",
          "HJ['!L",
          "~sUSVW",
          "<~sUSVW"
        ],
        "virustotal": {
          "error": true,
          "msg": "VT File lookup disabled in processing.conf"
        },
        "executed_tools": [
          "overlay",
          "msi_extract",
          "kixtart_extract",
          "vbe_extract",
          "batch_extract",
          "UnAutoIt_extract",
          "UPX_unpack",
          "RarSFX_extract",
          "Inno_extract",
          "SevenZip_unpack",
          "de4dot_deobfuscate",
          "eziriz_deobfuscate",
          "office_one"
        ],
        "cape_type_code": 9,
        "cape_type": "Unpacked Shellcode",
        "process_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "process_name": "NanoCore.exe",
        "module_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "pid": 7684,
        "virtual_address": "0x05730000"
      }
    ],
    "configs": []
  },
  "info": {
    "version": "2.5",
    "started": "2026-04-16 22:58:10",
    "ended": "2026-04-16 23:00:52",
    "duration": 162,
    "id": 42,
    "category": "file",
    "custom": "",
    "machine": {
      "id": 35,
      "status": "stopping",
      "name": "win10x64",
      "label": "win10x64",
      "platform": "windows",
      "manager": "KVM",
      "started_on": "2026-04-16 22:58:10",
      "shutdown_on": "2026-04-16 23:00:52"
    },
    "package": "exe",
    "timeout": false,
    "tlp": null,
    "parent_sample": {
      "id": 23,
      "file_size": 13850813,
      "file_type": "7-zip archive data, version 0.3",
      "md5": "a17189d956c6d1975717256a6e6418cb",
      "crc32": "97AFA081",
      "sha1": "970e16de1d07a90dd285e84b59c0a77e8992ed9f",
      "sha256": "f9cef6944196d5d27ca99a9c6287d9718b658add797e9cb770789a0c4dbf2bcd",
      "sha512": "3105fa5d4d6914fe69f4d4ab9e517eab55d225bbdfa199f37f3c9f103805b1b5c587fe5e985a87ea60e2e7d511a0f872619343014233791ef63859130065e9f1",
      "ssdeep": null,
      "source_url": null
    },
    "options": {},
    "source_url": null,
    "route": "",
    "user_id": 0,
    "CAPE_current_commit": "a9a0887dab232f52c59e955b9984dd494c47ce6b"
  },
  "behavior": {
    "processes": [
      {
        "process_id": 7684,
        "process_name": "NanoCore.exe",
        "parent_id": 7304,
        "module_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "first_seen": "2026-04-16 19:59:50,799",
        "calls": [
          {
            "timestamp": "2026-04-16 19:59:51,502",
            "thread_id": "4344",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 0
          },
          {
            "timestamp": "2026-04-16 19:59:51,502",
            "thread_id": "7688",
            "caller": "0x77ea64d6",
            "parentcaller": "0x77ea63e1",
            "category": "threading",
            "api": "NtTestAlert",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 1
          },
          {
            "timestamp": "2026-04-16 19:59:51,502",
            "thread_id": "7688",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2
          },
          {
            "timestamp": "2026-04-16 19:59:51,502",
            "thread_id": "1168",
            "caller": "0x77ea64d6",
            "parentcaller": "0x77ea63e1",
            "category": "threading",
            "api": "NtTestAlert",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3
          },
          {
            "timestamp": "2026-04-16 19:59:51,502",
            "thread_id": "1168",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 4
          },
          {
            "timestamp": "2026-04-16 19:59:51,502",
            "thread_id": "5476",
            "caller": "0x77ea64d6",
            "parentcaller": "0x77ea63e1",
            "category": "threading",
            "api": "NtTestAlert",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5
          },
          {
            "timestamp": "2026-04-16 19:59:51,502",
            "thread_id": "5476",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 6
          },
          {
            "timestamp": "2026-04-16 19:59:51,502",
            "thread_id": "176",
            "caller": "0x77ea64d6",
            "parentcaller": "0x77ea63e1",
            "category": "threading",
            "api": "NtTestAlert",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7
          },
          {
            "timestamp": "2026-04-16 19:59:51,502",
            "thread_id": "176",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 8
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x7418ec20",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x741ac000"
              },
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 9
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x77266176",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x76ea0000"
              }
            ],
            "repeated": 0,
            "id": 10
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "RegOpenKeyExW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebe9b0"
              }
            ],
            "repeated": 0,
            "id": 11
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x7418ec20",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x741ac000"
              },
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 12
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x7417ed49",
            "parentcaller": "0x7416dccc",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework\\Policy\\"
              },
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\"
              }
            ],
            "repeated": 0,
            "id": 13
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x7418ec20",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x741ac000"
              },
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 14
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "RegQueryInfoKeyW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebeb00"
              }
            ],
            "repeated": 0,
            "id": 15
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x7418ec20",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x741ac000"
              },
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 16
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x7417e980",
            "parentcaller": "0x7417ed5c",
            "category": "registry",
            "api": "RegQueryInfoKeyW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000240"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "SubKeyCount",
                "value": "5"
              },
              {
                "name": "MaxSubKeyLength",
                "value": "9"
              },
              {
                "name": "MaxClassLength",
                "value": "0"
              },
              {
                "name": "ValueCount",
                "value": "0"
              },
              {
                "name": "MaxValueNameLength",
                "value": "0"
              },
              {
                "name": "MaxValueLength",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 17
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x7418ec20",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x741ac000"
              },
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 18
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "RegEnumKeyExW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebead0"
              }
            ],
            "repeated": 0,
            "id": 19
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x7418ec20",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x741ac000"
              },
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 20
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x7417e9f7",
            "parentcaller": "0x7417ed5c",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "Index",
                "value": "4"
              },
              {
                "name": "Name",
                "value": "v4.0"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\v4.0"
              }
            ],
            "repeated": 0,
            "id": 21
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x7417e9f7",
            "parentcaller": "0x7417ed5c",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "Index",
                "value": "3"
              },
              {
                "name": "Name",
                "value": "v2.0"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\v2.0"
              }
            ],
            "repeated": 0,
            "id": 22
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x7417e9f7",
            "parentcaller": "0x7417ed5c",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "Index",
                "value": "2"
              },
              {
                "name": "Name",
                "value": "Upgrades"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\Upgrades"
              }
            ],
            "repeated": 0,
            "id": 23
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x7417e9f7",
            "parentcaller": "0x7417ed5c",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "Index",
                "value": "1"
              },
              {
                "name": "Name",
                "value": "standards"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\standards"
              }
            ],
            "repeated": 0,
            "id": 24
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x7417e9f7",
            "parentcaller": "0x7417ed5c",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "Index",
                "value": "0"
              },
              {
                "name": "Name",
                "value": "AppPatch"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\AppPatch"
              }
            ],
            "repeated": 0,
            "id": 25
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x7417edb8",
            "parentcaller": "0x7416dccc",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000240"
              },
              {
                "name": "SubKey",
                "value": "v4.0"
              },
              {
                "name": "Handle",
                "value": "0x00000244"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\v4.0"
              }
            ],
            "repeated": 0,
            "id": 26
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x7417eb88",
            "parentcaller": "0x7417edde",
            "category": "registry",
            "api": "RegQueryInfoKeyW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000244"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "SubKeyCount",
                "value": "0"
              },
              {
                "name": "MaxSubKeyLength",
                "value": "0"
              },
              {
                "name": "MaxClassLength",
                "value": "0"
              },
              {
                "name": "ValueCount",
                "value": "1"
              },
              {
                "name": "MaxValueNameLength",
                "value": "5"
              },
              {
                "name": "MaxValueLength",
                "value": "24"
              }
            ],
            "repeated": 0,
            "id": 27
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x7418ec20",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x741ac000"
              },
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 28
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "RegEnumValueW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebeba0"
              }
            ],
            "repeated": 0,
            "id": 29
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x7418ec20",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x741ac000"
              },
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 30
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x7417ec0a",
            "parentcaller": "0x7417edde",
            "category": "registry",
            "api": "RegEnumValueW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000244"
              },
              {
                "name": "Index",
                "value": "0"
              },
              {
                "name": "ValueName",
                "value": "30319"
              },
              {
                "name": "Data",
                "value": "30319-30319"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\v4.0\\30319"
              }
            ],
            "repeated": 0,
            "id": 31
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x7418ec20",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x741ac000"
              },
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 32
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "RegCloseKey"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebeb20"
              }
            ],
            "repeated": 0,
            "id": 33
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x7418ec20",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x741ac000"
              },
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 34
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x7417ee01",
            "parentcaller": "0x7416dccc",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000244"
              }
            ],
            "repeated": 0,
            "id": 35
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x77264429",
            "parentcaller": "0x741751c9",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\MSCOREE.DLL.local"
              }
            ],
            "repeated": 0,
            "id": 36
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x74174e1c",
            "parentcaller": "0x741752b8",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x00000244"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 37
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x7418ec20",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x741ac000"
              },
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 38
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "RegQueryValueExW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebe8e0"
              }
            ],
            "repeated": 0,
            "id": 39
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x7418ec20",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x741ac000"
              },
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 40
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x74174e34",
            "parentcaller": "0x741752b8",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000244"
              },
              {
                "name": "ValueName",
                "value": "InstallRoot"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot"
              }
            ],
            "repeated": 0,
            "id": 41
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x74174e71",
            "parentcaller": "0x741752b8",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000244"
              },
              {
                "name": "ValueName",
                "value": "InstallRoot"
              },
              {
                "name": "Data",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot"
              }
            ],
            "repeated": 0,
            "id": 42
          },
          {
            "timestamp": "2026-04-16 19:59:51,580",
            "thread_id": "4344",
            "caller": "0x74174e7f",
            "parentcaller": "0x741752b8",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000244"
              }
            ],
            "repeated": 0,
            "id": 43
          },
          {
            "timestamp": "2026-04-16 19:59:51,611",
            "thread_id": "4344",
            "caller": "0x77264566",
            "parentcaller": "0x74186667",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x012ba5f8",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0x51d5aa91"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d8c32f"
              }
            ],
            "repeated": 0,
            "id": 44
          },
          {
            "timestamp": "2026-04-16 19:59:51,643",
            "thread_id": "4344",
            "caller": "0x77275d68",
            "parentcaller": "0x74186677",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000244"
              }
            ],
            "repeated": 0,
            "id": 45
          },
          {
            "timestamp": "2026-04-16 19:59:51,643",
            "thread_id": "4344",
            "caller": "0x7417ef8e",
            "parentcaller": "0x7416dccc",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              }
            ],
            "repeated": 0,
            "id": 46
          },
          {
            "timestamp": "2026-04-16 19:59:51,643",
            "thread_id": "4344",
            "caller": "0x74174e1c",
            "parentcaller": "0x741752b8",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 47
          },
          {
            "timestamp": "2026-04-16 19:59:51,643",
            "thread_id": "4344",
            "caller": "0x74174e34",
            "parentcaller": "0x741752b8",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "ValueName",
                "value": "InstallRoot"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot"
              }
            ],
            "repeated": 0,
            "id": 48
          },
          {
            "timestamp": "2026-04-16 19:59:51,643",
            "thread_id": "4344",
            "caller": "0x74174e71",
            "parentcaller": "0x741752b8",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "ValueName",
                "value": "InstallRoot"
              },
              {
                "name": "Data",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot"
              }
            ],
            "repeated": 0,
            "id": 49
          },
          {
            "timestamp": "2026-04-16 19:59:51,643",
            "thread_id": "4344",
            "caller": "0x74174e7f",
            "parentcaller": "0x741752b8",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              }
            ],
            "repeated": 0,
            "id": 50
          },
          {
            "timestamp": "2026-04-16 19:59:51,643",
            "thread_id": "4344",
            "caller": "0x77264566",
            "parentcaller": "0x74186667",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x012ba2b8",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0x51d5aa91"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d8c32f"
              }
            ],
            "repeated": 0,
            "id": 51
          },
          {
            "timestamp": "2026-04-16 19:59:51,643",
            "thread_id": "4344",
            "caller": "0x77275d68",
            "parentcaller": "0x74186677",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              }
            ],
            "repeated": 0,
            "id": 52
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x74174e1c",
            "parentcaller": "0x741752b8",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 53
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x74174e34",
            "parentcaller": "0x741752b8",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "ValueName",
                "value": "InstallRoot"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot"
              }
            ],
            "repeated": 0,
            "id": 54
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x74174e71",
            "parentcaller": "0x741752b8",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "ValueName",
                "value": "InstallRoot"
              },
              {
                "name": "Data",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot"
              }
            ],
            "repeated": 0,
            "id": 55
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x74174e7f",
            "parentcaller": "0x741752b8",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              }
            ],
            "repeated": 0,
            "id": 56
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x7417952e",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei"
              },
              {
                "name": "DllBase",
                "value": "0x73e10000"
              }
            ],
            "repeated": 0,
            "id": 57
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73e189ae",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "api-ms-win-core-synch-l1-2-0"
              },
              {
                "name": "BaseAddress",
                "value": "0x77150000"
              }
            ],
            "repeated": 0,
            "id": 58
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73e189ae",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "api-ms-win-core-fibers-l1-1-1"
              },
              {
                "name": "BaseAddress",
                "value": "0x77150000"
              }
            ],
            "repeated": 0,
            "id": 59
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73e18760",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "api-ms-win-core-synch-l1-2-0"
              },
              {
                "name": "BaseAddress",
                "value": "0x77150000"
              }
            ],
            "repeated": 0,
            "id": 60
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73e18760",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "api-ms-win-core-fibers-l1-1-1"
              },
              {
                "name": "BaseAddress",
                "value": "0x77150000"
              }
            ],
            "repeated": 0,
            "id": 61
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73e18760",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "api-ms-win-core-localization-l1-2-1"
              },
              {
                "name": "BaseAddress",
                "value": "0x77150000"
              }
            ],
            "repeated": 0,
            "id": 62
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x77266176",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x76ea0000"
              }
            ],
            "repeated": 0,
            "id": 63
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x7417952e",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x73e10000"
              }
            ],
            "repeated": 0,
            "id": 64
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x7417952e",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x73e10000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 65
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "RegisterShimImplCallback"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e114d0"
              }
            ],
            "repeated": 0,
            "id": 66
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "RegisterShimImplCleanupCallback"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 67
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "SetShellShimInstance"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 68
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "OnShimDllMainCalled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e19630"
              }
            ],
            "repeated": 0,
            "id": 69
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "_CorExeMain_RetAddr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 70
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "_CorExeMain"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e1fa20"
              }
            ],
            "repeated": 0,
            "id": 71
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x77264429",
            "parentcaller": "0x73e22143",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\MSCOREE.DLL.local"
              }
            ],
            "repeated": 0,
            "id": 72
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e18d85",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x00000234"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 73
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x73e18da2",
            "parentcaller": "0x73e1924a",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000234"
              },
              {
                "name": "ValueName",
                "value": "InstallRoot"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot"
              }
            ],
            "repeated": 0,
            "id": 74
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x73e18de3",
            "parentcaller": "0x73e1924a",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000234"
              },
              {
                "name": "ValueName",
                "value": "InstallRoot"
              },
              {
                "name": "Data",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot"
              }
            ],
            "repeated": 0,
            "id": 75
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x73e18df4",
            "parentcaller": "0x73e1924a",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000234"
              }
            ],
            "repeated": 0,
            "id": 76
          },
          {
            "timestamp": "2026-04-16 19:59:51,658",
            "thread_id": "4344",
            "caller": "0x77264566",
            "parentcaller": "0x73e1162d",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x012ba138",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\*"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc87fbef5"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 77
          },
          {
            "timestamp": "2026-04-16 19:59:51,674",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00120080",
                "pretty_value": "FILE_READ_ATTRIBUTES|READ_CONTROL|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v1.0.3705\\clr.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 78
          },
          {
            "timestamp": "2026-04-16 19:59:51,674",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00120080",
                "pretty_value": "FILE_READ_ATTRIBUTES|READ_CONTROL|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v1.0.3705\\mscorwks.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 79
          },
          {
            "timestamp": "2026-04-16 19:59:51,674",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00120080",
                "pretty_value": "FILE_READ_ATTRIBUTES|READ_CONTROL|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v1.1.4322\\clr.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 80
          },
          {
            "timestamp": "2026-04-16 19:59:51,674",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00120080",
                "pretty_value": "FILE_READ_ATTRIBUTES|READ_CONTROL|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v1.1.4322\\mscorwks.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 81
          },
          {
            "timestamp": "2026-04-16 19:59:51,877",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00120080",
                "pretty_value": "FILE_READ_ATTRIBUTES|READ_CONTROL|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\clr.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 82
          },
          {
            "timestamp": "2026-04-16 19:59:51,924",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000230"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00120080",
                "pretty_value": "FILE_READ_ATTRIBUTES|READ_CONTROL|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 83
          },
          {
            "timestamp": "2026-04-16 19:59:51,924",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73e17007",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000230"
              }
            ],
            "repeated": 0,
            "id": 84
          },
          {
            "timestamp": "2026-04-16 19:59:52,096",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000230"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00120080",
                "pretty_value": "FILE_READ_ATTRIBUTES|READ_CONTROL|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 85
          },
          {
            "timestamp": "2026-04-16 19:59:52,096",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73e17007",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000230"
              }
            ],
            "repeated": 0,
            "id": 86
          },
          {
            "timestamp": "2026-04-16 19:59:52,096",
            "thread_id": "4344",
            "caller": "0x77275d68",
            "parentcaller": "0x73e15ff0",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000234"
              }
            ],
            "repeated": 0,
            "id": 87
          },
          {
            "timestamp": "2026-04-16 19:59:52,096",
            "thread_id": "4344",
            "caller": "0x73e21a39",
            "parentcaller": "0x73e16701",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 88
          },
          {
            "timestamp": "2026-04-16 19:59:52,096",
            "thread_id": "4344",
            "caller": "0x73e21a7f",
            "parentcaller": "0x73e16701",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x00000230"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 89
          },
          {
            "timestamp": "2026-04-16 19:59:52,096",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x73e1ce46",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x73e95000"
              },
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 90
          },
          {
            "timestamp": "2026-04-16 19:59:52,096",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x77266176",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "SHLWAPI.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x76f20000"
              }
            ],
            "repeated": 0,
            "id": 91
          },
          {
            "timestamp": "2026-04-16 19:59:52,096",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "SHLWAPI.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76f20000"
              },
              {
                "name": "FunctionName",
                "value": "UrlIsW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76f343a0"
              }
            ],
            "repeated": 0,
            "id": 92
          },
          {
            "timestamp": "2026-04-16 19:59:52,096",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x73e1ce46",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x73e95000"
              },
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 93
          },
          {
            "timestamp": "2026-04-16 19:59:52,096",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe.config"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 94
          },
          {
            "timestamp": "2026-04-16 19:59:52,096",
            "thread_id": "4344",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e20224",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x0000022c"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 95
          },
          {
            "timestamp": "2026-04-16 19:59:52,096",
            "thread_id": "4344",
            "caller": "0x73e2024d",
            "parentcaller": "0x73e20350",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000022c"
              },
              {
                "name": "ValueName",
                "value": "UseLegacyV2RuntimeActivationPolicyDefaultValue"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\UseLegacyV2RuntimeActivationPolicyDefaultValue"
              }
            ],
            "repeated": 0,
            "id": 96
          },
          {
            "timestamp": "2026-04-16 19:59:52,096",
            "thread_id": "4344",
            "caller": "0x73e1760b",
            "parentcaller": "0x73e202b6",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000022c"
              }
            ],
            "repeated": 0,
            "id": 97
          },
          {
            "timestamp": "2026-04-16 19:59:52,096",
            "thread_id": "4344",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e20224",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x0000022c"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 98
          },
          {
            "timestamp": "2026-04-16 19:59:52,096",
            "thread_id": "4344",
            "caller": "0x73e2024d",
            "parentcaller": "0x73e20350",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000022c"
              },
              {
                "name": "ValueName",
                "value": "OnlyUseLatestCLR"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR"
              }
            ],
            "repeated": 0,
            "id": 99
          },
          {
            "timestamp": "2026-04-16 19:59:52,096",
            "thread_id": "4344",
            "caller": "0x73e1760b",
            "parentcaller": "0x73e202b6",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000022c"
              }
            ],
            "repeated": 0,
            "id": 100
          },
          {
            "timestamp": "2026-04-16 19:59:52,127",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000022c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 101
          },
          {
            "timestamp": "2026-04-16 19:59:52,127",
            "thread_id": "4344",
            "caller": "0x7727081d",
            "parentcaller": "0x73e44737",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000022c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "FileInformationClass",
                "value": "5",
                "pretty_value": "FileStandardInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x00\\x10\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x16\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 102
          },
          {
            "timestamp": "2026-04-16 19:59:52,127",
            "thread_id": "4344",
            "caller": "0x77260e58",
            "parentcaller": "0x77260abe",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000224"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000022c"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 103
          },
          {
            "timestamp": "2026-04-16 19:59:52,127",
            "thread_id": "4344",
            "caller": "0x7726f16b",
            "parentcaller": "0x73e43dc6",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000224"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x055e0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fecac"
              },
              {
                "name": "ViewSize",
                "value": "0x00161000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 104
          },
          {
            "timestamp": "2026-04-16 19:59:52,346",
            "thread_id": "4344",
            "caller": "0x73e5863e",
            "parentcaller": "0x73e5740f",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 105
          },
          {
            "timestamp": "2026-04-16 19:59:52,346",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73e43e96",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000022c"
              }
            ],
            "repeated": 0,
            "id": 106
          },
          {
            "timestamp": "2026-04-16 19:59:52,346",
            "thread_id": "4344",
            "caller": "0x77270c75",
            "parentcaller": "0x73e43ec1",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x055e0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00161000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 107
          },
          {
            "timestamp": "2026-04-16 19:59:52,346",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73e43ee4",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000224"
              }
            ],
            "repeated": 0,
            "id": 108
          },
          {
            "timestamp": "2026-04-16 19:59:52,346",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000224"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 109
          },
          {
            "timestamp": "2026-04-16 19:59:52,346",
            "thread_id": "4344",
            "caller": "0x7727081d",
            "parentcaller": "0x73e44737",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000224"
              },
              {
                "name": "HandleName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "FileInformationClass",
                "value": "5",
                "pretty_value": "FileStandardInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x00\\x10\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x16\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 110
          },
          {
            "timestamp": "2026-04-16 19:59:52,346",
            "thread_id": "4344",
            "caller": "0x77260e58",
            "parentcaller": "0x77260abe",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000022c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000224"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 111
          },
          {
            "timestamp": "2026-04-16 19:59:52,361",
            "thread_id": "4344",
            "caller": "0x7726f16b",
            "parentcaller": "0x73e43dc6",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000022c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x055e0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fecac"
              },
              {
                "name": "ViewSize",
                "value": "0x00161000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 112
          },
          {
            "timestamp": "2026-04-16 19:59:52,361",
            "thread_id": "4344",
            "caller": "0x73e5863e",
            "parentcaller": "0x73e5740f",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 113
          },
          {
            "timestamp": "2026-04-16 19:59:52,361",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73e43e96",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000224"
              }
            ],
            "repeated": 0,
            "id": 114
          },
          {
            "timestamp": "2026-04-16 19:59:52,361",
            "thread_id": "4344",
            "caller": "0x77270c75",
            "parentcaller": "0x73e43ec1",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x055e0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00161000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 115
          },
          {
            "timestamp": "2026-04-16 19:59:52,361",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73e43ee4",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000022c"
              }
            ],
            "repeated": 0,
            "id": 116
          },
          {
            "timestamp": "2026-04-16 19:59:52,471",
            "thread_id": "4344",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e2fc7b",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000006",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000000"
              },
              {
                "name": "SubKey",
                "value": "Policy\\Standards"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "Policy\\Standards"
              }
            ],
            "repeated": 0,
            "id": 117
          },
          {
            "timestamp": "2026-04-16 19:59:52,471",
            "thread_id": "4344",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e2fc7b",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000230"
              },
              {
                "name": "SubKey",
                "value": "Policy\\Standards"
              },
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\Policy\\Standards"
              }
            ],
            "repeated": 0,
            "id": 118
          },
          {
            "timestamp": "2026-04-16 19:59:52,471",
            "thread_id": "4344",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e2fa9a",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000240"
              },
              {
                "name": "SubKey",
                "value": "v2.0.50727"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\standards\\v2.0.50727"
              }
            ],
            "repeated": 0,
            "id": 119
          },
          {
            "timestamp": "2026-04-16 19:59:52,471",
            "thread_id": "4344",
            "caller": "0x73e2509d",
            "parentcaller": "0x73e298ef",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              }
            ],
            "repeated": 0,
            "id": 120
          },
          {
            "timestamp": "2026-04-16 19:59:52,596",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73e1dd47",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\kernel.appcore"
              },
              {
                "name": "DllBase",
                "value": "0x75250000"
              }
            ],
            "repeated": 0,
            "id": 121
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73e1dd47",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "api-ms-win-appmodel-runtime-l1-1-2.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x75250000"
              }
            ],
            "repeated": 0,
            "id": 122
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73e1dd47",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x75250000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "api-ms-win-appmodel-runtime-l1-1-2.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000800"
              }
            ],
            "repeated": 0,
            "id": 123
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "kernel.appcore.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75250000"
              },
              {
                "name": "FunctionName",
                "value": "AppPolicyGetClrCompat"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75253a00"
              }
            ],
            "repeated": 0,
            "id": 124
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "kernel.appcore.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75250000"
              },
              {
                "name": "FunctionName",
                "value": "GetCurrentPackageId"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75253d80"
              }
            ],
            "repeated": 0,
            "id": 125
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "kernel.appcore.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75250000"
              },
              {
                "name": "FunctionName",
                "value": "GetCurrentPackageInfo"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75253db0"
              }
            ],
            "repeated": 0,
            "id": 126
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "kernel.appcore.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75250000"
              },
              {
                "name": "FunctionName",
                "value": "GetCurrentPackagePath"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75253dd0"
              }
            ],
            "repeated": 0,
            "id": 127
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x77260848",
            "parentcaller": "0x73e1db51",
            "category": "process",
            "api": "NtOpenProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x0000022c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000400",
                "pretty_value": "PROCESS_QUERY_INFORMATION"
              },
              {
                "name": "ProcessIdentifier",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 128
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x73e1ce46",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x73e95000"
              },
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 129
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "OpenProcessToken"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebea30"
              }
            ],
            "repeated": 0,
            "id": 130
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x73e1ce46",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x73e95000"
              },
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 131
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x77263cc4",
            "parentcaller": "0x73e1dbb9",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x0000022c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000008"
              },
              {
                "name": "TokenHandle",
                "value": "0x00000240"
              }
            ],
            "repeated": 0,
            "id": 132
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x73e1ce46",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x73e95000"
              },
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 133
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "GetTokenInformation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebe690"
              }
            ],
            "repeated": 0,
            "id": 134
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x73e1ce46",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x73e95000"
              },
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 135
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x77261446",
            "parentcaller": "0x73e1dc0a",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "29"
              },
              {
                "name": "TokenInformation",
                "value": "\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 136
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73e1dc40",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              }
            ],
            "repeated": 0,
            "id": 137
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73e1dc62",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000022c"
              }
            ],
            "repeated": 0,
            "id": 138
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e17f73",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Microsoft\\Fusion"
              },
              {
                "name": "Handle",
                "value": "0x0000022c"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion"
              }
            ],
            "repeated": 0,
            "id": 139
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x73e17fa5",
            "parentcaller": "0x73e18014",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000022c"
              },
              {
                "name": "ValueName",
                "value": "NoClientChecks"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Fusion\\NoClientChecks"
              }
            ],
            "repeated": 0,
            "id": 140
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x73e17fd5",
            "parentcaller": "0x73e18014",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000022c"
              }
            ],
            "repeated": 0,
            "id": 141
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x73e1ce46",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x73e95000"
              },
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 142
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x77266176",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\VERSION"
              },
              {
                "name": "DllBase",
                "value": "0x75460000"
              }
            ],
            "repeated": 0,
            "id": 143
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x77266176",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "VERSION.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x75460000"
              }
            ],
            "repeated": 0,
            "id": 144
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "VERSION.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75460000"
              },
              {
                "name": "FunctionName",
                "value": "GetFileVersionInfoSizeW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x754615c0"
              }
            ],
            "repeated": 0,
            "id": 145
          },
          {
            "timestamp": "2026-04-16 19:59:52,611",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x73e1ce46",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x73e95000"
              },
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 146
          },
          {
            "timestamp": "2026-04-16 19:59:56,564",
            "thread_id": "4344",
            "caller": "0x73e2080a",
            "parentcaller": "0x73e1da39",
            "category": "filesystem",
            "api": "GetFileVersionInfoSizeW",
            "status": true,
            "return": "0x0000081c",
            "arguments": [
              {
                "name": "PathName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll"
              }
            ],
            "repeated": 0,
            "id": 147
          },
          {
            "timestamp": "2026-04-16 19:59:56,564",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x73e1ce46",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x73e95000"
              },
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 148
          },
          {
            "timestamp": "2026-04-16 19:59:56,564",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "VERSION.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75460000"
              },
              {
                "name": "FunctionName",
                "value": "GetFileVersionInfoW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x754615e0"
              }
            ],
            "repeated": 0,
            "id": 149
          },
          {
            "timestamp": "2026-04-16 19:59:56,564",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x73e1ce46",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x73e95000"
              },
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 150
          },
          {
            "timestamp": "2026-04-16 19:59:56,564",
            "thread_id": "4344",
            "caller": "0x73e2082b",
            "parentcaller": "0x73e1da39",
            "category": "filesystem",
            "api": "GetFileVersionInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "PathName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll"
              }
            ],
            "repeated": 0,
            "id": 151
          },
          {
            "timestamp": "2026-04-16 19:59:56,564",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x73e1ce46",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x73e95000"
              },
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 152
          },
          {
            "timestamp": "2026-04-16 19:59:56,564",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "VERSION.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75460000"
              },
              {
                "name": "FunctionName",
                "value": "VerQueryValueW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75461560"
              }
            ],
            "repeated": 0,
            "id": 153
          },
          {
            "timestamp": "2026-04-16 19:59:56,564",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x73e1ce46",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x73e95000"
              },
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 154
          },
          {
            "timestamp": "2026-04-16 19:59:56,564",
            "thread_id": "4344",
            "caller": "0x73e1d044",
            "parentcaller": "0x73e1cfd3",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000230"
              }
            ],
            "repeated": 0,
            "id": 155
          },
          {
            "timestamp": "2026-04-16 19:59:56,580",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000240"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00120080",
                "pretty_value": "FILE_READ_ATTRIBUTES|READ_CONTROL|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 156
          },
          {
            "timestamp": "2026-04-16 19:59:56,580",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73e17007",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              }
            ],
            "repeated": 0,
            "id": 157
          },
          {
            "timestamp": "2026-04-16 19:59:56,580",
            "thread_id": "4344",
            "caller": "0x73e11e78",
            "parentcaller": "0x73e1d114",
            "category": "misc",
            "api": "HeapCreate",
            "status": true,
            "return": "0x05730000",
            "arguments": [
              {
                "name": "Options",
                "value": "262144"
              },
              {
                "name": "InitialSize",
                "value": "0x00000000"
              },
              {
                "name": "MaximumSize",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 158
          },
          {
            "timestamp": "2026-04-16 19:59:57,408",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73e1fecf",
            "category": "__notification__",
            "api": "sysenter",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadIdentifier",
                "value": "4344"
              },
              {
                "name": "Module",
                "value": "KERNEL32.dll"
              },
              {
                "name": "Return Address",
                "value": "0x76ad24ac"
              }
            ],
            "repeated": 0,
            "id": 159
          },
          {
            "timestamp": "2026-04-16 19:59:58,533",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73e1fecf",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\\MSVCR80"
              },
              {
                "name": "DllBase",
                "value": "0x736e0000"
              }
            ],
            "repeated": 0,
            "id": 160
          },
          {
            "timestamp": "2026-04-16 19:59:58,533",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73e1fecf",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks"
              },
              {
                "name": "DllBase",
                "value": "0x737e0000"
              }
            ],
            "repeated": 0,
            "id": 161
          },
          {
            "timestamp": "2026-04-16 19:59:59,299",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f31000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 162
          },
          {
            "timestamp": "2026-04-16 19:59:59,424",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f32000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 163
          },
          {
            "timestamp": "2026-04-16 19:59:59,424",
            "thread_id": "4344",
            "caller": "0x7373339d",
            "parentcaller": "0x736e1762",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 164
          },
          {
            "timestamp": "2026-04-16 19:59:59,564",
            "thread_id": "4344",
            "caller": "0x7726f231",
            "parentcaller": "0x736e1da6",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 165
          },
          {
            "timestamp": "2026-04-16 19:59:59,564",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "FindActCtxSectionStringW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ac8900"
              }
            ],
            "repeated": 0,
            "id": 166
          },
          {
            "timestamp": "2026-04-16 19:59:59,564",
            "thread_id": "4344",
            "caller": "0x7726f231",
            "parentcaller": "0x736e1dcd",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "MSCoree.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              }
            ],
            "repeated": 0,
            "id": 167
          },
          {
            "timestamp": "2026-04-16 19:59:59,564",
            "thread_id": "4344",
            "caller": "0x7726f231",
            "parentcaller": "0x736e1dd6",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": false,
            "return": "0xffffffffc0000135",
            "pretty_return": "DLL_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "PGORT80.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              }
            ],
            "repeated": 0,
            "id": 168
          },
          {
            "timestamp": "2026-04-16 19:59:59,564",
            "thread_id": "4344",
            "caller": "0x77262ba1",
            "parentcaller": "0x76ace2b9",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 169
          },
          {
            "timestamp": "2026-04-16 19:59:59,564",
            "thread_id": "4344",
            "caller": "0x77264429",
            "parentcaller": "0x76ace2c9",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\\msvcr80.dll"
              }
            ],
            "repeated": 0,
            "id": 170
          },
          {
            "timestamp": "2026-04-16 19:59:59,674",
            "thread_id": "4344",
            "caller": "0x77264566",
            "parentcaller": "0x76ace434",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x012ba138",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0x3a6eea36"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01ca0431"
              }
            ],
            "repeated": 0,
            "id": 171
          },
          {
            "timestamp": "2026-04-16 19:59:59,674",
            "thread_id": "4344",
            "caller": "0x77275d68",
            "parentcaller": "0x76ace44d",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              }
            ],
            "repeated": 0,
            "id": 172
          },
          {
            "timestamp": "2026-04-16 19:59:59,674",
            "thread_id": "4344",
            "caller": "0x77264566",
            "parentcaller": "0x76ace434",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x012ba138",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\WinSxS"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0x3a6eea36"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acdd"
              }
            ],
            "repeated": 0,
            "id": 173
          },
          {
            "timestamp": "2026-04-16 19:59:59,674",
            "thread_id": "4344",
            "caller": "0x77275d68",
            "parentcaller": "0x76ace44d",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              }
            ],
            "repeated": 0,
            "id": 174
          },
          {
            "timestamp": "2026-04-16 19:59:59,674",
            "thread_id": "4344",
            "caller": "0x77264566",
            "parentcaller": "0x76ace434",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x012ba138",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\\msvcr80.dll"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xf1cf05b4"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acdd"
              }
            ],
            "repeated": 0,
            "id": 175
          },
          {
            "timestamp": "2026-04-16 19:59:59,674",
            "thread_id": "4344",
            "caller": "0x77275d68",
            "parentcaller": "0x76ace44d",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              }
            ],
            "repeated": 0,
            "id": 176
          },
          {
            "timestamp": "2026-04-16 19:59:59,674",
            "thread_id": "4344",
            "caller": "0x77262ba1",
            "parentcaller": "0x76ace569",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 177
          },
          {
            "timestamp": "2026-04-16 19:59:59,674",
            "thread_id": "4344",
            "caller": "0x7726f231",
            "parentcaller": "0x736e1f08",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 178
          },
          {
            "timestamp": "2026-04-16 19:59:59,674",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetSystemWindowsDirectoryW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ac9500"
              }
            ],
            "repeated": 0,
            "id": 179
          },
          {
            "timestamp": "2026-04-16 19:59:59,861",
            "thread_id": "4344",
            "caller": "0x7726f231",
            "parentcaller": "0x73896231",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "mscoree.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              }
            ],
            "repeated": 0,
            "id": 180
          },
          {
            "timestamp": "2026-04-16 19:59:59,861",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              },
              {
                "name": "FunctionName",
                "value": "GetProcessExecutableHeap"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x74171fa0"
              }
            ],
            "repeated": 0,
            "id": 181
          },
          {
            "timestamp": "2026-04-16 19:59:59,924",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "GetProcessExecutableHeap_RetAddr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 182
          },
          {
            "timestamp": "2026-04-16 19:59:59,924",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "GetProcessExecutableHeap"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e11e60"
              }
            ],
            "repeated": 0,
            "id": 183
          },
          {
            "timestamp": "2026-04-16 20:00:00,205",
            "thread_id": "4344",
            "caller": "0x77e7007d",
            "parentcaller": "0x7726648d",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 184
          },
          {
            "timestamp": "2026-04-16 20:00:00,361",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7389032d",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 185
          },
          {
            "timestamp": "2026-04-16 20:00:00,361",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73890395",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 186
          },
          {
            "timestamp": "2026-04-16 20:00:00,424",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738903bc",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "ValueName",
                "value": "GCStressStart"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\GCStressStart"
              }
            ],
            "repeated": 0,
            "id": 187
          },
          {
            "timestamp": "2026-04-16 20:00:00,424",
            "thread_id": "4344",
            "caller": "0x738903cc",
            "parentcaller": "0x739176dd",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              }
            ],
            "repeated": 0,
            "id": 188
          },
          {
            "timestamp": "2026-04-16 20:00:00,424",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7389032d",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 189
          },
          {
            "timestamp": "2026-04-16 20:00:00,424",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73890395",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 190
          },
          {
            "timestamp": "2026-04-16 20:00:00,424",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738903bc",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "ValueName",
                "value": "GCStressStartAtJit"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit"
              }
            ],
            "repeated": 0,
            "id": 191
          },
          {
            "timestamp": "2026-04-16 20:00:00,424",
            "thread_id": "4344",
            "caller": "0x738903cc",
            "parentcaller": "0x739176dd",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              }
            ],
            "repeated": 0,
            "id": 192
          },
          {
            "timestamp": "2026-04-16 20:00:00,424",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7389032d",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 193
          },
          {
            "timestamp": "2026-04-16 20:00:00,424",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73890395",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 194
          },
          {
            "timestamp": "2026-04-16 20:00:00,424",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738903bc",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "ValueName",
                "value": "GCStressStart"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\GCStressStart"
              }
            ],
            "repeated": 0,
            "id": 195
          },
          {
            "timestamp": "2026-04-16 20:00:00,424",
            "thread_id": "4344",
            "caller": "0x738903cc",
            "parentcaller": "0x739176dd",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              }
            ],
            "repeated": 0,
            "id": 196
          },
          {
            "timestamp": "2026-04-16 20:00:00,424",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7389032d",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 197
          },
          {
            "timestamp": "2026-04-16 20:00:00,424",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73890395",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 198
          },
          {
            "timestamp": "2026-04-16 20:00:00,424",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738903bc",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              },
              {
                "name": "ValueName",
                "value": "GCStressStartAtJit"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit"
              }
            ],
            "repeated": 0,
            "id": 199
          },
          {
            "timestamp": "2026-04-16 20:00:00,424",
            "thread_id": "4344",
            "caller": "0x738903cc",
            "parentcaller": "0x739176dd",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              }
            ],
            "repeated": 0,
            "id": 200
          },
          {
            "timestamp": "2026-04-16 20:00:00,486",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73e1fecf",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x737e0000"
              }
            ],
            "repeated": 0,
            "id": 201
          },
          {
            "timestamp": "2026-04-16 20:00:00,486",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73e1fecf",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x737e0000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 202
          },
          {
            "timestamp": "2026-04-16 20:00:00,486",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscorwks.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x737e0000"
              },
              {
                "name": "FunctionName",
                "value": "SetLoadedByMscoree"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 203
          },
          {
            "timestamp": "2026-04-16 20:00:00,486",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x73e1ce46",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x73e95000"
              },
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 204
          },
          {
            "timestamp": "2026-04-16 20:00:00,486",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x77266176",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "USER32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x75d10000"
              }
            ],
            "repeated": 0,
            "id": 205
          },
          {
            "timestamp": "2026-04-16 20:00:00,486",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetProcessWindowStation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d517d0"
              }
            ],
            "repeated": 0,
            "id": 206
          },
          {
            "timestamp": "2026-04-16 20:00:00,486",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x73e1ce46",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x73e95000"
              },
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 207
          },
          {
            "timestamp": "2026-04-16 20:00:00,486",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x73e1ce46",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x73e95000"
              },
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 208
          },
          {
            "timestamp": "2026-04-16 20:00:00,486",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetUserObjectInformationW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d518c0"
              }
            ],
            "repeated": 0,
            "id": 209
          },
          {
            "timestamp": "2026-04-16 20:00:00,486",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x73e1ce46",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x73e95000"
              },
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 210
          },
          {
            "timestamp": "2026-04-16 20:00:00,486",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscorwks.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x737e0000"
              },
              {
                "name": "FunctionName",
                "value": "_CorExeMain"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x7391877c"
              }
            ],
            "repeated": 0,
            "id": 211
          },
          {
            "timestamp": "2026-04-16 20:00:00,736",
            "thread_id": "4344",
            "caller": "0x73938391",
            "parentcaller": "0x739383dd",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 212
          },
          {
            "timestamp": "2026-04-16 20:00:00,752",
            "thread_id": "4344",
            "caller": "0x7726f231",
            "parentcaller": "0x73895854",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "mscorwks.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x737e0000"
              }
            ],
            "repeated": 0,
            "id": 213
          },
          {
            "timestamp": "2026-04-16 20:00:00,752",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscorwks.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x737e0000"
              },
              {
                "name": "FunctionName",
                "value": "GetCLRFunction"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x738d08a5"
              }
            ],
            "repeated": 0,
            "id": 214
          },
          {
            "timestamp": "2026-04-16 20:00:00,861",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7389032d",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 215
          },
          {
            "timestamp": "2026-04-16 20:00:00,861",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73890395",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x0000022c"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 216
          },
          {
            "timestamp": "2026-04-16 20:00:00,861",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738903bc",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000022c"
              },
              {
                "name": "ValueName",
                "value": "DisableConfigCache"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\DisableConfigCache"
              }
            ],
            "repeated": 0,
            "id": 217
          },
          {
            "timestamp": "2026-04-16 20:00:00,861",
            "thread_id": "4344",
            "caller": "0x738903cc",
            "parentcaller": "0x738955f2",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000022c"
              }
            ],
            "repeated": 0,
            "id": 218
          },
          {
            "timestamp": "2026-04-16 20:00:00,861",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73895620",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 219
          },
          {
            "timestamp": "2026-04-16 20:00:00,861",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73895620",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x0000022c"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 220
          },
          {
            "timestamp": "2026-04-16 20:00:00,861",
            "thread_id": "4344",
            "caller": "0x738c2bb6",
            "parentcaller": "0x7389565b",
            "category": "registry",
            "api": "RegEnumValueW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000022c"
              },
              {
                "name": "Index",
                "value": "0"
              },
              {
                "name": "ValueName",
                "value": "InstallRoot"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "DataLength",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot"
              }
            ],
            "repeated": 0,
            "id": 221
          },
          {
            "timestamp": "2026-04-16 20:00:00,971",
            "thread_id": "4344",
            "caller": "0x738c2bb6",
            "parentcaller": "0x7389565b",
            "category": "registry",
            "api": "RegEnumValueW",
            "status": false,
            "return": "0x00000103",
            "pretty_return": "NO_MORE_ITEMS",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000022c"
              },
              {
                "name": "Index",
                "value": "1"
              },
              {
                "name": "ValueName",
                "value": ""
              },
              {
                "name": "Type",
                "value": "0",
                "pretty_value": "REG_NONE"
              },
              {
                "name": "DataLength",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\"
              }
            ],
            "repeated": 0,
            "id": 222
          },
          {
            "timestamp": "2026-04-16 20:00:01,064",
            "thread_id": "4344",
            "caller": "0x7726074f",
            "parentcaller": "0x73a192bb",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "advapi32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              }
            ],
            "repeated": 0,
            "id": 223
          },
          {
            "timestamp": "2026-04-16 20:00:01,064",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "RegisterTraceGuidsW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea44b0"
              }
            ],
            "repeated": 0,
            "id": 224
          },
          {
            "timestamp": "2026-04-16 20:00:01,064",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "UnregisterTraceGuids"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e99a70"
              }
            ],
            "repeated": 0,
            "id": 225
          },
          {
            "timestamp": "2026-04-16 20:00:01,064",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "GetTraceLoggerHandle"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eac810"
              }
            ],
            "repeated": 0,
            "id": 226
          },
          {
            "timestamp": "2026-04-16 20:00:01,064",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "GetTraceEnableLevel"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eac860"
              }
            ],
            "repeated": 0,
            "id": 227
          },
          {
            "timestamp": "2026-04-16 20:00:01,064",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "GetTraceEnableFlags"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eac890"
              }
            ],
            "repeated": 0,
            "id": 228
          },
          {
            "timestamp": "2026-04-16 20:00:01,064",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "TraceEvent"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77f41320"
              }
            ],
            "repeated": 0,
            "id": 229
          },
          {
            "timestamp": "2026-04-16 20:00:01,580",
            "thread_id": "4344",
            "caller": "0x77e7007d",
            "parentcaller": "0x7726648d",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 230
          },
          {
            "timestamp": "2026-04-16 20:00:01,580",
            "thread_id": "4344",
            "caller": "0x77260c1f",
            "parentcaller": "0x7388c16d",
            "category": "synchronization",
            "api": "NtOpenEvent",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "EventName",
                "value": "Global\\CLR_PerfMon_StartEnumEvent"
              }
            ],
            "repeated": 0,
            "id": 231
          },
          {
            "timestamp": "2026-04-16 20:00:01,689",
            "thread_id": "4344",
            "caller": "0x73732866",
            "parentcaller": "0x738953e7",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 232
          },
          {
            "timestamp": "2026-04-16 20:00:01,689",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "mscoree.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x74160000"
              }
            ],
            "repeated": 0,
            "id": 233
          },
          {
            "timestamp": "2026-04-16 20:00:01,689",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x74160000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "mscoree.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 234
          },
          {
            "timestamp": "2026-04-16 20:00:01,689",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              },
              {
                "name": "FunctionName",
                "value": "IEE"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x74172e40"
              }
            ],
            "repeated": 0,
            "id": 235
          },
          {
            "timestamp": "2026-04-16 20:00:01,689",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "IEE_RetAddr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 236
          },
          {
            "timestamp": "2026-04-16 20:00:01,689",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "IEE"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e40c70"
              }
            ],
            "repeated": 0,
            "id": 237
          },
          {
            "timestamp": "2026-04-16 20:00:01,830",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscorwks.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x737e0000"
              },
              {
                "name": "FunctionName",
                "value": "IEE"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x738954a8"
              }
            ],
            "repeated": 0,
            "id": 238
          },
          {
            "timestamp": "2026-04-16 20:00:01,830",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x7385f357",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x737e2000"
              },
              {
                "name": "ModuleName",
                "value": "mscorwks.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000020",
                "pretty_value": "PAGE_EXECUTE_READ"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 239
          },
          {
            "timestamp": "2026-04-16 20:00:01,830",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x7385f357",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x737e2000"
              },
              {
                "name": "ModuleName",
                "value": "mscorwks.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000020",
                "pretty_value": "PAGE_EXECUTE_READ"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 240
          },
          {
            "timestamp": "2026-04-16 20:00:01,830",
            "thread_id": "4344",
            "caller": "0x7726074f",
            "parentcaller": "0x73894c46",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "mscoree.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              }
            ],
            "repeated": 0,
            "id": 241
          },
          {
            "timestamp": "2026-04-16 20:00:01,830",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              },
              {
                "name": "FunctionName",
                "value": "GetStartupFlags"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x7416ffc0"
              }
            ],
            "repeated": 0,
            "id": 242
          },
          {
            "timestamp": "2026-04-16 20:00:01,830",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "GetStartupFlags_RetAddr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 243
          },
          {
            "timestamp": "2026-04-16 20:00:01,830",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "GetStartupFlags"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e3f5a0"
              }
            ],
            "repeated": 0,
            "id": 244
          },
          {
            "timestamp": "2026-04-16 20:00:01,830",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              },
              {
                "name": "FunctionName",
                "value": "GetHostConfigurationFile"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x74172050"
              }
            ],
            "repeated": 0,
            "id": 245
          },
          {
            "timestamp": "2026-04-16 20:00:01,830",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "GetHostConfigurationFile_RetAddr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 246
          },
          {
            "timestamp": "2026-04-16 20:00:01,830",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "GetHostConfigurationFile"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e3f600"
              }
            ],
            "repeated": 0,
            "id": 247
          },
          {
            "timestamp": "2026-04-16 20:00:01,830",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "GetCORVersion_RetAddr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 248
          },
          {
            "timestamp": "2026-04-16 20:00:01,830",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "GetCORVersion"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e3e060"
              }
            ],
            "repeated": 0,
            "id": 249
          },
          {
            "timestamp": "2026-04-16 20:00:01,830",
            "thread_id": "4344",
            "caller": "0x7726074f",
            "parentcaller": "0x73894634",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "mscoree.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              }
            ],
            "repeated": 0,
            "id": 250
          },
          {
            "timestamp": "2026-04-16 20:00:01,830",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              },
              {
                "name": "FunctionName",
                "value": "GetCORSystemDirectory"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x741708b0"
              }
            ],
            "repeated": 0,
            "id": 251
          },
          {
            "timestamp": "2026-04-16 20:00:01,830",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "GetCORSystemDirectory_RetAddr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e3f300"
              }
            ],
            "repeated": 0,
            "id": 252
          },
          {
            "timestamp": "2026-04-16 20:00:01,846",
            "thread_id": "4344",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e523f8",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework\\Policy\\AppPatch"
              },
              {
                "name": "Handle",
                "value": "0x00000228"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\AppPatch"
              }
            ],
            "repeated": 0,
            "id": 253
          },
          {
            "timestamp": "2026-04-16 20:00:01,986",
            "thread_id": "4344",
            "caller": "0x77277bae",
            "parentcaller": "0x73e52c0b",
            "category": "filesystem",
            "api": "NtQueryFullAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319"
              }
            ],
            "repeated": 0,
            "id": 254
          },
          {
            "timestamp": "2026-04-16 20:00:01,986",
            "thread_id": "4344",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e523f8",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000228"
              },
              {
                "name": "SubKey",
                "value": "v4.0.30319.00000"
              },
              {
                "name": "Handle",
                "value": "0x00000248"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\AppPatch\\v4.0.30319.00000"
              }
            ],
            "repeated": 0,
            "id": 255
          },
          {
            "timestamp": "2026-04-16 20:00:01,986",
            "thread_id": "4344",
            "caller": "0x73e1760b",
            "parentcaller": "0x73e50f0e",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000228"
              }
            ],
            "repeated": 0,
            "id": 256
          },
          {
            "timestamp": "2026-04-16 20:00:01,986",
            "thread_id": "4344",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e523f8",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000248"
              },
              {
                "name": "SubKey",
                "value": "mscorwks.dll"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\AppPatch\\v4.0.30319.00000\\mscorwks.dll"
              }
            ],
            "repeated": 0,
            "id": 257
          },
          {
            "timestamp": "2026-04-16 20:00:01,986",
            "thread_id": "4344",
            "caller": "0x73e1760b",
            "parentcaller": "0x73e50b0a",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000248"
              }
            ],
            "repeated": 0,
            "id": 258
          },
          {
            "timestamp": "2026-04-16 20:00:01,986",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "CreateConfigStream_RetAddr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 259
          },
          {
            "timestamp": "2026-04-16 20:00:01,986",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "CreateConfigStream"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e196a0"
              }
            ],
            "repeated": 0,
            "id": 260
          },
          {
            "timestamp": "2026-04-16 20:00:02,111",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000248"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 261
          },
          {
            "timestamp": "2026-04-16 20:00:02,189",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012ce000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 262
          },
          {
            "timestamp": "2026-04-16 20:00:02,221",
            "thread_id": "4344",
            "caller": "0x7726249c",
            "parentcaller": "0x73e11df9",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000248"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              },
              {
                "name": "Buffer",
                "value": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!--\r\n    Please refer to machine.config.comments for a description and\r\n    the default values of each configuration section.\r\n\r\n    For a full documentation of the schema please refer to\r\n    http://go.microsoft.com/"
              },
              {
                "name": "Length",
                "value": "4095"
              }
            ],
            "repeated": 0,
            "id": 263
          },
          {
            "timestamp": "2026-04-16 20:00:02,299",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012d1000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 264
          },
          {
            "timestamp": "2026-04-16 20:00:02,299",
            "thread_id": "4344",
            "caller": "0x7726249c",
            "parentcaller": "0x73e11df9",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000248"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              },
              {
                "name": "Buffer",
                "value": "7a5c561934e089\">\r\n            <section name=\"schemaImporterExtensions\" type=\"System.Xml.Serialization.Configuration.SchemaImporterExtensionsSection, System.Xml, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"/>\r\n            <section name"
              },
              {
                "name": "Length",
                "value": "18712"
              }
            ],
            "repeated": 0,
            "id": 265
          },
          {
            "timestamp": "2026-04-16 20:00:02,408",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73e200b5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000248"
              }
            ],
            "repeated": 0,
            "id": 266
          },
          {
            "timestamp": "2026-04-16 20:00:02,408",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe.config"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 267
          },
          {
            "timestamp": "2026-04-16 20:00:02,408",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 268
          },
          {
            "timestamp": "2026-04-16 20:00:02,408",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x77e40000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "ntdll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 269
          },
          {
            "timestamp": "2026-04-16 20:00:02,408",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlUnwind"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea8f40"
              }
            ],
            "repeated": 0,
            "id": 270
          },
          {
            "timestamp": "2026-04-16 20:00:02,408",
            "thread_id": "4344",
            "caller": "0x77e7007d",
            "parentcaller": "0x7726648d",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 271
          },
          {
            "timestamp": "2026-04-16 20:00:02,502",
            "thread_id": "4344",
            "caller": "0x7726074f",
            "parentcaller": "0x7389341a",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 272
          },
          {
            "timestamp": "2026-04-16 20:00:02,502",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "IsWow64Process"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad06e0"
              }
            ],
            "repeated": 0,
            "id": 273
          },
          {
            "timestamp": "2026-04-16 20:00:02,611",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\Fusion"
              },
              {
                "name": "Handle",
                "value": "0x0000024c"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion"
              }
            ],
            "repeated": 0,
            "id": 274
          },
          {
            "timestamp": "2026-04-16 20:00:02,689",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\NanoCore.exe"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 275
          },
          {
            "timestamp": "2026-04-16 20:00:02,799",
            "thread_id": "4344",
            "caller": "0x77264429",
            "parentcaller": "0x7383db34",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac"
              }
            ],
            "repeated": 0,
            "id": 276
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\Fusion"
              },
              {
                "name": "Handle",
                "value": "0x00000248"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion"
              }
            ],
            "repeated": 0,
            "id": 277
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x73b4b62d",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000248"
              },
              {
                "name": "ValueName",
                "value": "CacheLocation"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation"
              }
            ],
            "repeated": 0,
            "id": 278
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x73b4b671",
            "parentcaller": "0x73b4b6fd",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000248"
              }
            ],
            "repeated": 0,
            "id": 279
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726074f",
            "parentcaller": "0x73b73ef5",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 280
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetSystemWindowsDirectoryW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ac9500"
              }
            ],
            "repeated": 0,
            "id": 281
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\Fusion"
              },
              {
                "name": "Handle",
                "value": "0x00000248"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion"
              }
            ],
            "repeated": 0,
            "id": 282
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x73893263",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000248"
              },
              {
                "name": "ValueName",
                "value": "DownloadCacheQuotaInKB"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB"
              }
            ],
            "repeated": 0,
            "id": 283
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\Fusion"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion"
              }
            ],
            "repeated": 0,
            "id": 284
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x738932b7",
            "parentcaller": "0x73892966",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000248"
              }
            ],
            "repeated": 0,
            "id": 285
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738931c0",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "EnableLog"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog"
              }
            ],
            "repeated": 0,
            "id": 286
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738931c0",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "LoggingLevel"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel"
              }
            ],
            "repeated": 0,
            "id": 287
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738931c0",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "ForceLog"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog"
              }
            ],
            "repeated": 0,
            "id": 288
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738931c0",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "LogFailures"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures"
              }
            ],
            "repeated": 0,
            "id": 289
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738931c0",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "VersioningLog"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog"
              }
            ],
            "repeated": 0,
            "id": 290
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738931c0",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "LogResourceBinds"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds"
              }
            ],
            "repeated": 0,
            "id": 291
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738931c0",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "UseLegacyIdentityFormat"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat"
              }
            ],
            "repeated": 0,
            "id": 292
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738931c0",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "DisableMSIPeek"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek"
              }
            ],
            "repeated": 0,
            "id": 293
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738931c0",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "NoClientChecks"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks"
              }
            ],
            "repeated": 0,
            "id": 294
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x73892a56",
            "parentcaller": "0x7389059b",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 295
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"
              },
              {
                "name": "Handle",
                "value": "0x0000024c"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"
              }
            ],
            "repeated": 0,
            "id": 296
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738931c0",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "DevOverrideEnable"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable"
              }
            ],
            "repeated": 0,
            "id": 297
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x73aa3b8f",
            "parentcaller": "0x73aa415a",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 298
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726074f",
            "parentcaller": "0x7388c23b",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "advapi32"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              }
            ],
            "repeated": 0,
            "id": 299
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "AllocateAndInitializeSid"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebf090"
              }
            ],
            "repeated": 0,
            "id": 300
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x77260848",
            "parentcaller": "0x73890e3c",
            "category": "process",
            "api": "NtOpenProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000250"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000400",
                "pretty_value": "PROCESS_QUERY_INFORMATION"
              },
              {
                "name": "ProcessIdentifier",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 301
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "OpenProcessToken"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebea30"
              }
            ],
            "repeated": 0,
            "id": 302
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x77263cc4",
            "parentcaller": "0x73890e70",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000250"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000008"
              },
              {
                "name": "TokenHandle",
                "value": "0x00000254"
              }
            ],
            "repeated": 0,
            "id": 303
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "GetTokenInformation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebe690"
              }
            ],
            "repeated": 0,
            "id": 304
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x77261446",
            "parentcaller": "0x73890e9b",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": false,
            "return": "0xffffffffc0000023",
            "pretty_return": "BUFFER_TOO_SMALL",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "4"
              },
              {
                "name": "TokenInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 305
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x77261446",
            "parentcaller": "0x73890ec5",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "4"
              },
              {
                "name": "TokenInformation",
                "value": "t\\xb5+\\x01\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 306
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73890edd",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000250"
              }
            ],
            "repeated": 0,
            "id": 307
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73890ef0",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000254"
              }
            ],
            "repeated": 0,
            "id": 308
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "InitializeAcl"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebf2d0"
              }
            ],
            "repeated": 0,
            "id": 309
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "AddAccessAllowedAce"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebf170"
              }
            ],
            "repeated": 0,
            "id": 310
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "FreeSid"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebfc70"
              }
            ],
            "repeated": 0,
            "id": 311
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x77260e58",
            "parentcaller": "0x77260abe",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000254"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0007",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_WRITE"
              },
              {
                "name": "ObjectAttributes",
                "value": "Global\\Cor_Private_IPCBlock_7684"
              },
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 312
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726f16b",
            "parentcaller": "0x738921f3",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000254"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f20000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010ff150"
              },
              {
                "name": "ViewSize",
                "value": "0x00001000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 313
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726074f",
            "parentcaller": "0x7388c23b",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "advapi32"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              }
            ],
            "repeated": 0,
            "id": 314
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "AllocateAndInitializeSid"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebf090"
              }
            ],
            "repeated": 0,
            "id": 315
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x77260848",
            "parentcaller": "0x73890e3c",
            "category": "process",
            "api": "NtOpenProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000250"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000400",
                "pretty_value": "PROCESS_QUERY_INFORMATION"
              },
              {
                "name": "ProcessIdentifier",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 316
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "OpenProcessToken"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebea30"
              }
            ],
            "repeated": 0,
            "id": 317
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x77263cc4",
            "parentcaller": "0x73890e70",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000250"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000008"
              },
              {
                "name": "TokenHandle",
                "value": "0x00000258"
              }
            ],
            "repeated": 0,
            "id": 318
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "GetTokenInformation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebe690"
              }
            ],
            "repeated": 0,
            "id": 319
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x77261446",
            "parentcaller": "0x73890e9b",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": false,
            "return": "0xffffffffc0000023",
            "pretty_return": "BUFFER_TOO_SMALL",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "4"
              },
              {
                "name": "TokenInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 320
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x77261446",
            "parentcaller": "0x73890ec5",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "4"
              },
              {
                "name": "TokenInformation",
                "value": "\\x8c\\xe1,\\x01\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 321
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73890edd",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000250"
              }
            ],
            "repeated": 0,
            "id": 322
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73890ef0",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000258"
              }
            ],
            "repeated": 0,
            "id": 323
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "InitializeAcl"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebf2d0"
              }
            ],
            "repeated": 0,
            "id": 324
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "AddAccessAllowedAce"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebf170"
              }
            ],
            "repeated": 0,
            "id": 325
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "FreeSid"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebfc70"
              }
            ],
            "repeated": 0,
            "id": 326
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x77260e58",
            "parentcaller": "0x77260abe",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000258"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0007",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_WRITE"
              },
              {
                "name": "ObjectAttributes",
                "value": "Global\\Cor_Public_IPCBlock_7684"
              },
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 327
          },
          {
            "timestamp": "2026-04-16 20:00:02,971",
            "thread_id": "4344",
            "caller": "0x7726f16b",
            "parentcaller": "0x738922ec",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000258"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f40000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010ff170"
              },
              {
                "name": "ViewSize",
                "value": "0x00001000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 328
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f50000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 329
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f50000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 330
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x7726074f",
            "parentcaller": "0x7386cc0a",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 331
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "SetThreadStackGuarantee"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad1f20"
              }
            ],
            "repeated": 0,
            "id": 332
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x7386aa35",
            "parentcaller": "0x738900a6",
            "category": "threading",
            "api": "SetThreadStackGuarantee",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "InputSize",
                "value": "4096"
              },
              {
                "name": "OutputSize",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 333
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 334
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73b787d1",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework\\NGen\\Policy\\v2.0"
              },
              {
                "name": "Handle",
                "value": "0x00000268"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\NGen\\Policy\\v2.0"
              }
            ],
            "repeated": 0,
            "id": 335
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x73b7880d",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000268"
              },
              {
                "name": "ValueName",
                "value": "OptimizeUsedBinaries"
              },
              {
                "name": "Data",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\NGen\\Policy\\v2.0\\OptimizeUsedBinaries"
              }
            ],
            "repeated": 0,
            "id": 336
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x738b2cae",
            "parentcaller": "0x73887206",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000268"
              }
            ],
            "repeated": 0,
            "id": 337
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Microsoft\\CLR_v2.0_32\\UsageLogs\\NanoCore.exe.log"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 338
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012d6000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 339
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 340
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x7726f231",
            "parentcaller": "0x7389378f",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 341
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "FlsSetValue"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad11e0"
              }
            ],
            "repeated": 0,
            "id": 342
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "FlsGetValue"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ace770"
              }
            ],
            "repeated": 0,
            "id": 343
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "FlsAlloc"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad1e20"
              }
            ],
            "repeated": 0,
            "id": 344
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "FlsFree"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad2050"
              }
            ],
            "repeated": 0,
            "id": 345
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 3,
            "id": 346
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f60000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 347
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 348
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f70000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 349
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f51000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 350
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012d8000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 351
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 4,
            "id": 352
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f80000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 353
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f90000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 354
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012d9000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 355
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 4,
            "id": 356
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02fa0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 357
          },
          {
            "timestamp": "2026-04-16 20:00:02,986",
            "thread_id": "4344",
            "caller": "0x77273ee6",
            "parentcaller": "0x77260d14",
            "category": "synchronization",
            "api": "NtCreateEvent",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000294"
              },
              {
                "name": "EventName",
                "value": "Global\\CorDBIPCSetupSyncEvent_7684"
              },
              {
                "name": "EventType",
                "value": "0"
              },
              {
                "name": "InitialState",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 358
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "4344",
            "caller": "0x77276987",
            "parentcaller": "0x76ad0f37",
            "category": "threading",
            "api": "NtCreateThreadEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x00000268"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "StartAddress",
                "value": "0x7388f3ff"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              },
              {
                "name": "CreateFlags",
                "value": "0x00000001"
              },
              {
                "name": "ThreadId",
                "value": "6276"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "Module",
                "value": "mscorwks.dll"
              }
            ],
            "repeated": 0,
            "id": 359
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "4344",
            "caller": "0x77276987",
            "parentcaller": "0x76ad0f37",
            "category": "threading",
            "api": "CreateThread",
            "status": true,
            "return": "0x00000268",
            "arguments": [
              {
                "name": "StartRoutine",
                "value": "0x7388f3ff"
              },
              {
                "name": "ModuleName",
                "value": "mscorwks.dll"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              },
              {
                "name": "CreationFlags",
                "value": "0x00000004"
              },
              {
                "name": "ThreadId",
                "value": "6276"
              }
            ],
            "repeated": 0,
            "id": 360
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "4344",
            "caller": "0x7727d303",
            "parentcaller": "0x7388f3ea",
            "category": "threading",
            "api": "NtResumeThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x00000268"
              },
              {
                "name": "SuspendCount",
                "value": "1"
              },
              {
                "name": "ThreadId",
                "value": "6276"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 361
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "4344",
            "caller": "0x77261137",
            "parentcaller": "0x7726088e",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000248"
              },
              {
                "name": "MutexName",
                "value": ""
              },
              {
                "name": "InitialOwner",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 362
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "4344",
            "caller": "0x77265900",
            "parentcaller": "0x7388ee08",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000248"
              }
            ],
            "repeated": 0,
            "id": 363
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "4344",
            "caller": "0x7388f260",
            "parentcaller": "0x7388f23a",
            "category": "system",
            "api": "IsDebuggerPresent",
            "status": false,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 364
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "4344",
            "caller": "0x7726074f",
            "parentcaller": "0x7388e8be",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 365
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "AddVectoredContinueHandler"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ef8860"
              }
            ],
            "repeated": 0,
            "id": 366
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "RemoveVectoredContinueHandler"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ef8880"
              }
            ],
            "repeated": 0,
            "id": 367
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "4344",
            "caller": "0x77ea1ee8",
            "parentcaller": "0x77ea1e71",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 368
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "4344",
            "caller": "0x77ea1ee8",
            "parentcaller": "0x77ea1ea1",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 369
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "4344",
            "caller": "0x7388e451",
            "parentcaller": "0x7388731e",
            "category": "hooking",
            "api": "SetUnhandledExceptionFilter",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ExceptionFilter",
                "value": "0x73dae000"
              }
            ],
            "repeated": 0,
            "id": 370
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "4344",
            "caller": "0x77271454",
            "parentcaller": "0x7386c4c9",
            "category": "system",
            "api": "NtDuplicateObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SourceProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "SourceHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "TargetProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "TargetHandle",
                "value": "0x00000228"
              },
              {
                "name": "Options",
                "value": "0x00000002"
              }
            ],
            "repeated": 0,
            "id": 371
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "6276",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNELBASE.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              },
              {
                "name": "FunctionName",
                "value": "FlsGetValue"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77264500"
              }
            ],
            "repeated": 0,
            "id": 372
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "6276",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012db000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 373
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "6276",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2c18",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 2,
            "id": 374
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "6276",
            "caller": "0x77ea64d6",
            "parentcaller": "0x77ea63e1",
            "category": "threading",
            "api": "NtTestAlert",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 375
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "6276",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 376
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "6276",
            "caller": "0x7386aa35",
            "parentcaller": "0x7386aa9a",
            "category": "threading",
            "api": "SetThreadStackGuarantee",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "InputSize",
                "value": "4096"
              },
              {
                "name": "OutputSize",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 377
          },
          {
            "timestamp": "2026-04-16 20:00:03,033",
            "thread_id": "6276",
            "caller": "0x772761f1",
            "parentcaller": "0x7386ab1a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05621000"
              },
              {
                "name": "RegionSize",
                "value": "0x000fa000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 378
          },
          {
            "timestamp": "2026-04-16 20:00:03,252",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73aeacc4",
            "category": "system",
            "api": "NtClose",
            "status": false,
            "return": "0xffffffffc0000008",
            "pretty_return": "INVALID_HANDLE",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 379
          },
          {
            "timestamp": "2026-04-16 20:00:03,252",
            "thread_id": "4344",
            "caller": "0x7386aa35",
            "parentcaller": "0x7386aa9a",
            "category": "threading",
            "api": "SetThreadStackGuarantee",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "InputSize",
                "value": "4096"
              },
              {
                "name": "OutputSize",
                "value": "4096"
              }
            ],
            "repeated": 0,
            "id": 380
          },
          {
            "timestamp": "2026-04-16 20:00:03,252",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x7386ab1a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01001000"
              },
              {
                "name": "RegionSize",
                "value": "0x000ee000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 381
          },
          {
            "timestamp": "2026-04-16 20:00:03,252",
            "thread_id": "4344",
            "caller": "0x77260c1f",
            "parentcaller": "0x7388c16d",
            "category": "synchronization",
            "api": "NtOpenEvent",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "EventName",
                "value": "Global\\CLR_PerfMon_StartEnumEvent"
              }
            ],
            "repeated": 0,
            "id": 382
          },
          {
            "timestamp": "2026-04-16 20:00:03,252",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012dc000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 383
          },
          {
            "timestamp": "2026-04-16 20:00:03,268",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f6a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 384
          },
          {
            "timestamp": "2026-04-16 20:00:03,268",
            "thread_id": "4344",
            "caller": "0x77274faa",
            "parentcaller": "0x7385f357",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x737e2000"
              },
              {
                "name": "ModuleName",
                "value": "mscorwks.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00002000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000020",
                "pretty_value": "PAGE_EXECUTE_READ"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 385
          },
          {
            "timestamp": "2026-04-16 20:00:03,268",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f62000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 386
          },
          {
            "timestamp": "2026-04-16 20:00:03,268",
            "thread_id": "4344",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 387
          },
          {
            "timestamp": "2026-04-16 20:00:03,268",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7388be89",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets"
              },
              {
                "name": "Handle",
                "value": "0x000002a8"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets"
              }
            ],
            "repeated": 0,
            "id": 388
          },
          {
            "timestamp": "2026-04-16 20:00:03,268",
            "thread_id": "4344",
            "caller": "0x7393a55f",
            "parentcaller": "0x7388bece",
            "category": "registry",
            "api": "RegQueryInfoKeyW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002a8"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "SubKeyCount",
                "value": "0"
              },
              {
                "name": "MaxSubKeyLength",
                "value": "0"
              },
              {
                "name": "MaxClassLength",
                "value": "0"
              },
              {
                "name": "ValueCount",
                "value": "0"
              },
              {
                "name": "MaxValueNameLength",
                "value": "0"
              },
              {
                "name": "MaxValueLength",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 389
          },
          {
            "timestamp": "2026-04-16 20:00:03,268",
            "thread_id": "4344",
            "caller": "0x73841a80",
            "parentcaller": "0x7388bf0b",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002a8"
              },
              {
                "name": "Index",
                "value": "0"
              },
              {
                "name": "Name",
                "value": "Internet"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet"
              }
            ],
            "repeated": 0,
            "id": 390
          },
          {
            "timestamp": "2026-04-16 20:00:03,268",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7388bf58",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000002a8"
              },
              {
                "name": "SubKey",
                "value": "Internet"
              },
              {
                "name": "Handle",
                "value": "0x000002ac"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet"
              }
            ],
            "repeated": 0,
            "id": 391
          },
          {
            "timestamp": "2026-04-16 20:00:03,283",
            "thread_id": "4344",
            "caller": "0x73841a80",
            "parentcaller": "0x7388bf8c",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ac"
              },
              {
                "name": "Index",
                "value": "0"
              },
              {
                "name": "Name",
                "value": "MediaPermission"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet\\MediaPermission"
              }
            ],
            "repeated": 0,
            "id": 392
          },
          {
            "timestamp": "2026-04-16 20:00:03,283",
            "thread_id": "4344",
            "caller": "0x73841a80",
            "parentcaller": "0x7388bf8c",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ac"
              },
              {
                "name": "Index",
                "value": "1"
              },
              {
                "name": "Name",
                "value": "WebBrowserPermission"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet\\WebBrowserPermission"
              }
            ],
            "repeated": 0,
            "id": 393
          },
          {
            "timestamp": "2026-04-16 20:00:03,283",
            "thread_id": "4344",
            "caller": "0x73841a80",
            "parentcaller": "0x7388bf8c",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": false,
            "return": "0x00000103",
            "pretty_return": "NO_MORE_ITEMS",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ac"
              },
              {
                "name": "Index",
                "value": "2"
              },
              {
                "name": "Name",
                "value": ""
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet\\"
              }
            ],
            "repeated": 0,
            "id": 394
          },
          {
            "timestamp": "2026-04-16 20:00:03,283",
            "thread_id": "4344",
            "caller": "0x7388c090",
            "parentcaller": "0x7388b414",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ac"
              }
            ],
            "repeated": 0,
            "id": 395
          },
          {
            "timestamp": "2026-04-16 20:00:03,283",
            "thread_id": "4344",
            "caller": "0x73841a80",
            "parentcaller": "0x7388bf0b",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002a8"
              },
              {
                "name": "Index",
                "value": "1"
              },
              {
                "name": "Name",
                "value": "LocalIntranet"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet"
              }
            ],
            "repeated": 0,
            "id": 396
          },
          {
            "timestamp": "2026-04-16 20:00:03,283",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7388bf58",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000002a8"
              },
              {
                "name": "SubKey",
                "value": "LocalIntranet"
              },
              {
                "name": "Handle",
                "value": "0x000002ac"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet"
              }
            ],
            "repeated": 0,
            "id": 397
          },
          {
            "timestamp": "2026-04-16 20:00:03,283",
            "thread_id": "4344",
            "caller": "0x73841a80",
            "parentcaller": "0x7388bf8c",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ac"
              },
              {
                "name": "Index",
                "value": "0"
              },
              {
                "name": "Name",
                "value": "MediaPermission"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet\\MediaPermission"
              }
            ],
            "repeated": 0,
            "id": 398
          },
          {
            "timestamp": "2026-04-16 20:00:03,283",
            "thread_id": "4344",
            "caller": "0x73841a80",
            "parentcaller": "0x7388bf8c",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ac"
              },
              {
                "name": "Index",
                "value": "1"
              },
              {
                "name": "Name",
                "value": "WebBrowserPermission"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet\\WebBrowserPermission"
              }
            ],
            "repeated": 0,
            "id": 399
          },
          {
            "timestamp": "2026-04-16 20:00:03,283",
            "thread_id": "4344",
            "caller": "0x73841a80",
            "parentcaller": "0x7388bf8c",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": false,
            "return": "0x00000103",
            "pretty_return": "NO_MORE_ITEMS",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ac"
              },
              {
                "name": "Index",
                "value": "2"
              },
              {
                "name": "Name",
                "value": ""
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet\\"
              }
            ],
            "repeated": 0,
            "id": 400
          },
          {
            "timestamp": "2026-04-16 20:00:03,283",
            "thread_id": "4344",
            "caller": "0x7388c090",
            "parentcaller": "0x7388b414",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ac"
              }
            ],
            "repeated": 0,
            "id": 401
          },
          {
            "timestamp": "2026-04-16 20:00:03,283",
            "thread_id": "4344",
            "caller": "0x73841a80",
            "parentcaller": "0x7388bf0b",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": false,
            "return": "0x00000103",
            "pretty_return": "NO_MORE_ITEMS",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002a8"
              },
              {
                "name": "Index",
                "value": "2"
              },
              {
                "name": "Name",
                "value": ""
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\"
              }
            ],
            "repeated": 0,
            "id": 402
          },
          {
            "timestamp": "2026-04-16 20:00:03,283",
            "thread_id": "4344",
            "caller": "0x7388be02",
            "parentcaller": "0x7388b414",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002a8"
              }
            ],
            "repeated": 0,
            "id": 403
          },
          {
            "timestamp": "2026-04-16 20:00:03,283",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012dd000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 404
          },
          {
            "timestamp": "2026-04-16 20:00:03,283",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 405
          },
          {
            "timestamp": "2026-04-16 20:00:03,283",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 406
          },
          {
            "timestamp": "2026-04-16 20:00:03,283",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 407
          },
          {
            "timestamp": "2026-04-16 20:00:03,283",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 408
          },
          {
            "timestamp": "2026-04-16 20:00:03,377",
            "thread_id": "4344",
            "caller": "0x77263cc4",
            "parentcaller": "0x738d74fa",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000008"
              },
              {
                "name": "TokenHandle",
                "value": "0x000002a8"
              }
            ],
            "repeated": 0,
            "id": 409
          },
          {
            "timestamp": "2026-04-16 20:00:03,377",
            "thread_id": "4344",
            "caller": "0x77261446",
            "parentcaller": "0x738d73b8",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": false,
            "return": "0xffffffffc0000023",
            "pretty_return": "BUFFER_TOO_SMALL",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "1"
              },
              {
                "name": "TokenInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 410
          },
          {
            "timestamp": "2026-04-16 20:00:03,377",
            "thread_id": "4344",
            "caller": "0x77261446",
            "parentcaller": "0x738d73f9",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "1"
              },
              {
                "name": "TokenInformation",
                "value": "\\xb0\\xff+\\x01\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 411
          },
          {
            "timestamp": "2026-04-16 20:00:03,377",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "advapi32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x76ea0000"
              }
            ],
            "repeated": 0,
            "id": 412
          },
          {
            "timestamp": "2026-04-16 20:00:03,377",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x76ea0000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "advapi32.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 413
          },
          {
            "timestamp": "2026-04-16 20:00:03,377",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "ConvertSidToStringSidW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebe4c0"
              }
            ],
            "repeated": 0,
            "id": 414
          },
          {
            "timestamp": "2026-04-16 20:00:03,377",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x738d75c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000"
              },
              {
                "name": "Handle",
                "value": "0x000002ac"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000"
              }
            ],
            "repeated": 0,
            "id": 415
          },
          {
            "timestamp": "2026-04-16 20:00:03,377",
            "thread_id": "4344",
            "caller": "0x738d75de",
            "parentcaller": "0x738d7029",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ac"
              }
            ],
            "repeated": 0,
            "id": 416
          },
          {
            "timestamp": "2026-04-16 20:00:03,377",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x7384680e",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002a8"
              }
            ],
            "repeated": 0,
            "id": 417
          },
          {
            "timestamp": "2026-04-16 20:00:03,377",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\System32\\shell32"
              },
              {
                "name": "DllBase",
                "value": "0x77590000"
              }
            ],
            "repeated": 0,
            "id": 418
          },
          {
            "timestamp": "2026-04-16 20:00:03,377",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "shell32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77590000"
              }
            ],
            "repeated": 0,
            "id": 419
          },
          {
            "timestamp": "2026-04-16 20:00:03,377",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x77590000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "shell32.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 420
          },
          {
            "timestamp": "2026-04-16 20:00:03,377",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "shell32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77590000"
              },
              {
                "name": "FunctionName",
                "value": "SHGetFolderPathW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x776edc30"
              }
            ],
            "repeated": 0,
            "id": 421
          },
          {
            "timestamp": "2026-04-16 20:00:03,377",
            "thread_id": "4344",
            "caller": "0x77e9112f",
            "parentcaller": "0x77e8f0c9",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "windows.storage.dll"
              }
            ],
            "repeated": 0,
            "id": 422
          },
          {
            "timestamp": "2026-04-16 20:00:03,377",
            "thread_id": "4344",
            "caller": "0x77e921cc",
            "parentcaller": "0x77e920d6",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\windows.storage.dll"
              }
            ],
            "repeated": 0,
            "id": 423
          },
          {
            "timestamp": "2026-04-16 20:00:03,377",
            "thread_id": "4344",
            "caller": "0x77e9e69c",
            "parentcaller": "0x77e9e212",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\windows.storage.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 424
          },
          {
            "timestamp": "2026-04-16 20:00:03,377",
            "thread_id": "4344",
            "caller": "0x77e9e6d9",
            "parentcaller": "0x77e9e212",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000002e4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000002e0"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\windows.storage.dll"
              }
            ],
            "repeated": 0,
            "id": 425
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e912bc",
            "parentcaller": "0x77e91427",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000002e4"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75700000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x0060d000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 426
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e9009f",
            "parentcaller": "0x77e90824",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75ca5000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00002000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 427
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77ea1ee8",
            "parentcaller": "0x77ea1e71",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 428
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77ea1ee8",
            "parentcaller": "0x77ea1ea1",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 429
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e79ddb",
            "parentcaller": "0x77e8b530",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75c9f000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 430
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e9112f",
            "parentcaller": "0x77e8f0c9",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "Wldp.dll"
              }
            ],
            "repeated": 0,
            "id": 431
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e9e72d",
            "parentcaller": "0x77e9e212",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e4"
              }
            ],
            "repeated": 0,
            "id": 432
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e9e735",
            "parentcaller": "0x77e9e212",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 433
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e921cc",
            "parentcaller": "0x77e920d6",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\Wldp.dll"
              }
            ],
            "repeated": 0,
            "id": 434
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e921cc",
            "parentcaller": "0x77e920d6",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\wldp.dll"
              }
            ],
            "repeated": 0,
            "id": 435
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e9e69c",
            "parentcaller": "0x77e9e3e8",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\wldp.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 436
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e9e6d9",
            "parentcaller": "0x77e9e3e8",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000002e4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000002e0"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\wldp.dll"
              }
            ],
            "repeated": 0,
            "id": 437
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e912bc",
            "parentcaller": "0x77e91427",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000002e4"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x756d0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00027000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 438
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e9009f",
            "parentcaller": "0x77e90824",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x756f2000"
              },
              {
                "name": "ModuleName",
                "value": "Wldp.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 439
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77ea1ee8",
            "parentcaller": "0x77ea1e71",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 440
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77ea1ee8",
            "parentcaller": "0x77ea1ea1",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 441
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e79ddb",
            "parentcaller": "0x77e8b530",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x756f0000"
              },
              {
                "name": "ModuleName",
                "value": "Wldp.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 442
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e9e72d",
            "parentcaller": "0x77e9e3e8",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e4"
              }
            ],
            "repeated": 0,
            "id": 443
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e9e735",
            "parentcaller": "0x77e9e3e8",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 444
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e90da0",
            "parentcaller": "0x77e7e523",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75c9f000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 445
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e90f7a",
            "parentcaller": "0x77e90dc2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "35"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00\\\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00a\\x00t\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00c\\x00a\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00m\\x00p\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x00.\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 446
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x77e90da0",
            "parentcaller": "0x77e7e523",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x756f0000"
              },
              {
                "name": "ModuleName",
                "value": "Wldp.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 447
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x750d9851",
            "parentcaller": "0x750d8c22",
            "category": "misc",
            "api": "RtlDosPathNameToNtPathName_U",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DosFileName",
                "value": "C:\\Windows\\SYSTEM32\\Wldp.dll"
              }
            ],
            "repeated": 0,
            "id": 448
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x750d9890",
            "parentcaller": "0x750d8c22",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020000",
                "pretty_value": "READ_CONTROL"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\wldp.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 449
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x750d9931",
            "parentcaller": "0x750d8c22",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 450
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x750d9931",
            "parentcaller": "0x750d8c22",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\Wldp"
              },
              {
                "name": "DllBase",
                "value": "0x756d0000"
              }
            ],
            "repeated": 0,
            "id": 451
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x750d9851",
            "parentcaller": "0x750d8c22",
            "category": "misc",
            "api": "RtlDosPathNameToNtPathName_U",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DosFileName",
                "value": "C:\\Windows\\SYSTEM32\\windows.storage.dll"
              }
            ],
            "repeated": 0,
            "id": 452
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x750d9890",
            "parentcaller": "0x750d8c22",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020000",
                "pretty_value": "READ_CONTROL"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\windows.storage.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 453
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x750d9931",
            "parentcaller": "0x750d8c22",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 454
          },
          {
            "timestamp": "2026-04-16 20:00:03,393",
            "thread_id": "4344",
            "caller": "0x750d9931",
            "parentcaller": "0x750d8c22",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\windows.storage"
              },
              {
                "name": "DllBase",
                "value": "0x75700000"
              }
            ],
            "repeated": 0,
            "id": 455
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x772656f1",
            "parentcaller": "0x756d69fd",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "api-ms-win-eventing-provider-l1-1-0.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              }
            ],
            "repeated": 0,
            "id": 456
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x772696ea",
            "parentcaller": "0x756d6a24",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNELBASE.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              },
              {
                "name": "FunctionName",
                "value": "EventSetInformation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e70b80"
              }
            ],
            "repeated": 0,
            "id": 457
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x772605b6",
            "parentcaller": "0x756d6a53",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\wldp"
              },
              {
                "name": "BaseAddress",
                "value": "0x756d0000"
              },
              {
                "name": "InitRoutine",
                "value": "0x756d8bd0"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 458
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x7726074f",
            "parentcaller": "0x758dd258",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "api-ms-win-core-synch-l1-2-0.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              }
            ],
            "repeated": 0,
            "id": 459
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x772696ea",
            "parentcaller": "0x758dd27f",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNELBASE.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              },
              {
                "name": "FunctionName",
                "value": "InitializeConditionVariable"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea4e10"
              }
            ],
            "repeated": 0,
            "id": 460
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x772696ea",
            "parentcaller": "0x758dd28d",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNELBASE.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              },
              {
                "name": "FunctionName",
                "value": "SleepConditionVariableCS"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77308040"
              }
            ],
            "repeated": 0,
            "id": 461
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x772696ea",
            "parentcaller": "0x758dd29b",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNELBASE.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              },
              {
                "name": "FunctionName",
                "value": "WakeAllConditionVariable"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eaa570"
              }
            ],
            "repeated": 0,
            "id": 462
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x77e8ff5f",
            "parentcaller": "0x77e8fe54",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75ca5000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 463
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x77e8ff94",
            "parentcaller": "0x77e8fe54",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75ca5000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 464
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012e0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 465
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x7726074f",
            "parentcaller": "0x758979ad",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 466
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x772696ea",
            "parentcaller": "0x7589797e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlRegisterFeatureConfigurationChangeNotification"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e724f0"
              }
            ],
            "repeated": 0,
            "id": 467
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x772696ea",
            "parentcaller": "0x75897868",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQueryWnfStateData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb40c0"
              }
            ],
            "repeated": 0,
            "id": 468
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x772696ea",
            "parentcaller": "0x758977e7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlSubscribeWnfStateChangeNotification"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e70780"
              }
            ],
            "repeated": 0,
            "id": 469
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x772696ea",
            "parentcaller": "0x7584a3ba",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDisownModuleHeapAllocation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eac2a0"
              }
            ],
            "repeated": 0,
            "id": 470
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x772696ea",
            "parentcaller": "0x75897927",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlQueryFeatureConfiguration"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea52e0"
              }
            ],
            "repeated": 0,
            "id": 471
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x772696ea",
            "parentcaller": "0x758486ce",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 472
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x77261137",
            "parentcaller": "0x75897ab1",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x40000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000304"
              },
              {
                "name": "MutexName",
                "value": "Local\\SM0:7684:168:WilStaging_02"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 473
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x772627d9",
            "parentcaller": "0x75897cac",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000304"
              },
              {
                "name": "Milliseconds",
                "value": "18446744073709551615"
              },
              {
                "name": "Status",
                "value": "Infinite"
              }
            ],
            "repeated": 0,
            "id": 474
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 475
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000308"
              },
              {
                "name": "Milliseconds",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 476
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x7582f2ae",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000308"
              }
            ],
            "repeated": 0,
            "id": 477
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x77265900",
            "parentcaller": "0x75897c8b",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000304"
              }
            ],
            "repeated": 1,
            "id": 478
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x7582f2ae",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\windows.storage"
              },
              {
                "name": "BaseAddress",
                "value": "0x75700000"
              },
              {
                "name": "InitRoutine",
                "value": "0x758db920"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 479
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x77e8ff5f",
            "parentcaller": "0x77e8fe54",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77ae5000"
              },
              {
                "name": "ModuleName",
                "value": "shell32.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 480
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x77e8ff94",
            "parentcaller": "0x77e8fe54",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77ae5000"
              },
              {
                "name": "ModuleName",
                "value": "shell32.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 481
          },
          {
            "timestamp": "2026-04-16 20:00:03,408",
            "thread_id": "4344",
            "caller": "0x77e8ff94",
            "parentcaller": "0x77e8fe54",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\System32\\SHCORE"
              },
              {
                "name": "DllBase",
                "value": "0x76f70000"
              }
            ],
            "repeated": 0,
            "id": 482
          },
          {
            "timestamp": "2026-04-16 20:00:03,439",
            "thread_id": "4344",
            "caller": "0x77e8ff94",
            "parentcaller": "0x77e8fe54",
            "category": "__notification__",
            "api": "sysenter",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadIdentifier",
                "value": "4344"
              },
              {
                "name": "Module",
                "value": "KERNELBASE.dll"
              },
              {
                "name": "Return Address",
                "value": "0x772833ec"
              }
            ],
            "repeated": 0,
            "id": 483
          },
          {
            "timestamp": "2026-04-16 20:00:04,346",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x7726961e",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 484
          },
          {
            "timestamp": "2026-04-16 20:00:04,346",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x7726961e",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\profapi"
              },
              {
                "name": "DllBase",
                "value": "0x75260000"
              }
            ],
            "repeated": 0,
            "id": 485
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x758a5bf1",
            "parentcaller": "0x757e6154",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 486
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x758a5bf1",
            "parentcaller": "0x757e6154",
            "category": "filesystem",
            "api": "SHGetFolderPathW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Folder",
                "value": "0x0000801a",
                "pretty_value": "CSIDL_FLAG_CREATE|CSIDL_APPDATA"
              },
              {
                "name": "Path",
                "value": "C:\\Users\\cape\\AppData\\Roaming"
              }
            ],
            "repeated": 0,
            "id": 487
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 488
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 489
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7388b8a4",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy"
              }
            ],
            "repeated": 0,
            "id": 490
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x7726f231",
            "parentcaller": "0x7388b825",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 491
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "FlushProcessWriteBuffers"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb3930"
              }
            ],
            "repeated": 0,
            "id": 492
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x7726074f",
            "parentcaller": "0x73896fc7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "Kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 493
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetWriteWatch"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad0590"
              }
            ],
            "repeated": 0,
            "id": 494
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "ResetWriteWatch"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad0740"
              }
            ],
            "repeated": 0,
            "id": 495
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02fc0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 496
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x77275e92",
            "parentcaller": "0x77275e55",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02fc0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 497
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x7726074f",
            "parentcaller": "0x73897046",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "Kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 498
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CreateMemoryResourceNotification"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ac9950"
              }
            ],
            "repeated": 0,
            "id": 499
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "QueryMemoryResourceNotification"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ae4380"
              }
            ],
            "repeated": 0,
            "id": 500
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x7724e4c2",
            "parentcaller": "0x73897085",
            "category": "synchronization",
            "api": "NtOpenEvent",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000330"
              },
              {
                "name": "EventName",
                "value": "\\KernelObjects\\LowMemoryCondition"
              }
            ],
            "repeated": 0,
            "id": 501
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05a80000"
              },
              {
                "name": "RegionSize",
                "value": "0x02000000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 502
          },
          {
            "timestamp": "2026-04-16 20:00:04,361",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07a80000"
              },
              {
                "name": "RegionSize",
                "value": "0x000a0000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 503
          },
          {
            "timestamp": "2026-04-16 20:00:04,518",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012e3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 504
          },
          {
            "timestamp": "2026-04-16 20:00:04,518",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05a80000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 505
          },
          {
            "timestamp": "2026-04-16 20:00:04,518",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x06a80000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 506
          },
          {
            "timestamp": "2026-04-16 20:00:04,580",
            "thread_id": "4344",
            "caller": "0x77276987",
            "parentcaller": "0x76ad0f37",
            "category": "threading",
            "api": "NtCreateThreadEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "StartAddress",
                "value": "0x7394890c"
              },
              {
                "name": "Parameter",
                "value": "0x012c5a78"
              },
              {
                "name": "CreateFlags",
                "value": "0x00000001"
              },
              {
                "name": "ThreadId",
                "value": "6048"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "Module",
                "value": "mscorwks.dll"
              }
            ],
            "repeated": 0,
            "id": 507
          },
          {
            "timestamp": "2026-04-16 20:00:04,580",
            "thread_id": "4344",
            "caller": "0x77276987",
            "parentcaller": "0x76ad0f37",
            "category": "threading",
            "api": "CreateThread",
            "status": true,
            "return": "0x0000035c",
            "arguments": [
              {
                "name": "StartRoutine",
                "value": "0x7394890c"
              },
              {
                "name": "ModuleName",
                "value": "mscorwks.dll"
              },
              {
                "name": "Parameter",
                "value": "0x012c5a78"
              },
              {
                "name": "CreationFlags",
                "value": "0x00000004"
              },
              {
                "name": "ThreadId",
                "value": "6048"
              }
            ],
            "repeated": 0,
            "id": 508
          },
          {
            "timestamp": "2026-04-16 20:00:04,580",
            "thread_id": "4344",
            "caller": "0x7727d303",
            "parentcaller": "0x7386ba5f",
            "category": "threading",
            "api": "NtResumeThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x0000035c"
              },
              {
                "name": "SuspendCount",
                "value": "1"
              },
              {
                "name": "ThreadId",
                "value": "6048"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 509
          },
          {
            "timestamp": "2026-04-16 20:00:04,580",
            "thread_id": "4344",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 510
          },
          {
            "timestamp": "2026-04-16 20:00:04,580",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012ec000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 511
          },
          {
            "timestamp": "2026-04-16 20:00:04,580",
            "thread_id": "4344",
            "caller": "0x73910bc8",
            "parentcaller": "0x738d69ba",
            "category": "filesystem",
            "api": "UrlCanonicalizeW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Url",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\"
              }
            ],
            "repeated": 0,
            "id": 512
          },
          {
            "timestamp": "2026-04-16 20:00:04,580",
            "thread_id": "6048",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2c18",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 2,
            "id": 513
          },
          {
            "timestamp": "2026-04-16 20:00:04,580",
            "thread_id": "6048",
            "caller": "0x77ea64d6",
            "parentcaller": "0x77ea63e1",
            "category": "threading",
            "api": "NtTestAlert",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 514
          },
          {
            "timestamp": "2026-04-16 20:00:04,580",
            "thread_id": "6048",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 515
          },
          {
            "timestamp": "2026-04-16 20:00:04,580",
            "thread_id": "6048",
            "caller": "0x7386aa35",
            "parentcaller": "0x7386aa9a",
            "category": "threading",
            "api": "SetThreadStackGuarantee",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "InputSize",
                "value": "4096"
              },
              {
                "name": "OutputSize",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 516
          },
          {
            "timestamp": "2026-04-16 20:00:04,580",
            "thread_id": "6048",
            "caller": "0x772761f1",
            "parentcaller": "0x7386ab1a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07b61000"
              },
              {
                "name": "RegionSize",
                "value": "0x000fa000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 517
          },
          {
            "timestamp": "2026-04-16 20:00:04,580",
            "thread_id": "6048",
            "caller": "0x772627d9",
            "parentcaller": "0x737e58bd",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000340"
              },
              {
                "name": "Milliseconds",
                "value": "18446744073709551615"
              },
              {
                "name": "Status",
                "value": "Infinite"
              }
            ],
            "repeated": 0,
            "id": 518
          },
          {
            "timestamp": "2026-04-16 20:00:04,627",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32"
              },
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32"
              }
            ],
            "repeated": 0,
            "id": 519
          },
          {
            "timestamp": "2026-04-16 20:00:04,627",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738d455e",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "LatestIndex"
              },
              {
                "name": "Data",
                "value": "12"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex"
              }
            ],
            "repeated": 0,
            "id": 520
          },
          {
            "timestamp": "2026-04-16 20:00:04,627",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32"
              },
              {
                "name": "Handle",
                "value": "0x00000368"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32"
              }
            ],
            "repeated": 0,
            "id": 521
          },
          {
            "timestamp": "2026-04-16 20:00:04,627",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738d455e",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000368"
              },
              {
                "name": "ValueName",
                "value": "LatestIndex"
              },
              {
                "name": "Data",
                "value": "12"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex"
              }
            ],
            "repeated": 0,
            "id": 522
          },
          {
            "timestamp": "2026-04-16 20:00:04,658",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000036c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\indexc.dat"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 523
          },
          {
            "timestamp": "2026-04-16 20:00:04,658",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "indexc"
              },
              {
                "name": "Handle",
                "value": "0x00000370"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\indexc"
              }
            ],
            "repeated": 0,
            "id": 524
          },
          {
            "timestamp": "2026-04-16 20:00:04,658",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x7384b3c2",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000370"
              },
              {
                "name": "ValueName",
                "value": "NIUsageMask"
              },
              {
                "name": "Data",
                "value": "\\xff\\xe1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\indexc\\NIUsageMask"
              }
            ],
            "repeated": 0,
            "id": 525
          },
          {
            "timestamp": "2026-04-16 20:00:04,658",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x7384b3c2",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000370"
              },
              {
                "name": "ValueName",
                "value": "ILUsageMask"
              },
              {
                "name": "Data",
                "value": "\\xff\\xff\\xff\\xf1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\indexc\\ILUsageMask"
              }
            ],
            "repeated": 0,
            "id": 526
          },
          {
            "timestamp": "2026-04-16 20:00:04,658",
            "thread_id": "4344",
            "caller": "0x738882f8",
            "parentcaller": "0x73888318",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000370"
              }
            ],
            "repeated": 0,
            "id": 527
          },
          {
            "timestamp": "2026-04-16 20:00:04,658",
            "thread_id": "4344",
            "caller": "0x738d4593",
            "parentcaller": "0x738d471e",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 528
          },
          {
            "timestamp": "2026-04-16 20:00:04,658",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\181938c6\\7950e2c5"
              },
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5"
              }
            ],
            "repeated": 0,
            "id": 529
          },
          {
            "timestamp": "2026-04-16 20:00:04,658",
            "thread_id": "4344",
            "caller": "0x73841a80",
            "parentcaller": "0x7383dd78",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "Index",
                "value": "0"
              },
              {
                "name": "Name",
                "value": "1"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1"
              }
            ],
            "repeated": 0,
            "id": 530
          },
          {
            "timestamp": "2026-04-16 20:00:04,658",
            "thread_id": "4344",
            "caller": "0x73841a80",
            "parentcaller": "0x7383dde9",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": false,
            "return": "0x00000103",
            "pretty_return": "NO_MORE_ITEMS",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "Index",
                "value": "1"
              },
              {
                "name": "Name",
                "value": ""
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\"
              }
            ],
            "repeated": 0,
            "id": 531
          },
          {
            "timestamp": "2026-04-16 20:00:04,658",
            "thread_id": "4344",
            "caller": "0x7383de65",
            "parentcaller": "0x7383ded6",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 532
          },
          {
            "timestamp": "2026-04-16 20:00:04,658",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\181938c6\\7950e2c5\\1"
              },
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1"
              }
            ],
            "repeated": 0,
            "id": 533
          },
          {
            "timestamp": "2026-04-16 20:00:04,658",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x7384b3c2",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "DisplayName"
              },
              {
                "name": "Data",
                "value": "mscorlib,2.0.0.0,,b77a5c561934e089"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\DisplayName"
              }
            ],
            "repeated": 0,
            "id": 534
          },
          {
            "timestamp": "2026-04-16 20:00:04,658",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012ee000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 535
          },
          {
            "timestamp": "2026-04-16 20:00:04,658",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x7384b3c2",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "ConfigMask"
              },
              {
                "name": "Data",
                "value": "4361"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\ConfigMask"
              }
            ],
            "repeated": 0,
            "id": 536
          },
          {
            "timestamp": "2026-04-16 20:00:04,658",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x7384b3c2",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "ConfigString"
              },
              {
                "name": "Data",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\ConfigString"
              }
            ],
            "repeated": 0,
            "id": 537
          },
          {
            "timestamp": "2026-04-16 20:00:04,658",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x7384b3c2",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "MVID"
              },
              {
                "name": "Data",
                "value": "\\x07\\xfe\\xde\\xcf;\\x96LM&\\xa6\\xec\\x99B&\\xef\\xe4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\MVID"
              }
            ],
            "repeated": 0,
            "id": 538
          },
          {
            "timestamp": "2026-04-16 20:00:04,658",
            "thread_id": "4344",
            "caller": "0x7384b7d1",
            "parentcaller": "0x7384b8c2",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 539
          },
          {
            "timestamp": "2026-04-16 20:00:04,705",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\181938c6\\7950e2c5\\1"
              },
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1"
              }
            ],
            "repeated": 0,
            "id": 540
          },
          {
            "timestamp": "2026-04-16 20:00:04,705",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x7384b3c2",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "EvalationData"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\EvalationData"
              }
            ],
            "repeated": 0,
            "id": 541
          },
          {
            "timestamp": "2026-04-16 20:00:04,705",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x7384b3c2",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "Status"
              },
              {
                "name": "Data",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\Status"
              }
            ],
            "repeated": 0,
            "id": 542
          },
          {
            "timestamp": "2026-04-16 20:00:04,705",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x7384b3c2",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "ILDependencies"
              },
              {
                "name": "Data",
                "value": "\\xc5\\xe2Py\\xba{\\xb8\\x0c\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\ILDependencies"
              }
            ],
            "repeated": 0,
            "id": 543
          },
          {
            "timestamp": "2026-04-16 20:00:04,705",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x7384b3c2",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "NIDependencies"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\NIDependencies"
              }
            ],
            "repeated": 0,
            "id": 544
          },
          {
            "timestamp": "2026-04-16 20:00:04,705",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x7384b3c2",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "MissingDependencies"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\MissingDependencies"
              }
            ],
            "repeated": 0,
            "id": 545
          },
          {
            "timestamp": "2026-04-16 20:00:04,721",
            "thread_id": "4344",
            "caller": "0x7384b7d1",
            "parentcaller": "0x7384b8c2",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 546
          },
          {
            "timestamp": "2026-04-16 20:00:04,721",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "IL\\7950e2c5\\cb87bba\\1"
              },
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1"
              }
            ],
            "repeated": 0,
            "id": 547
          },
          {
            "timestamp": "2026-04-16 20:00:04,721",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x7384b3c2",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "DisplayName"
              },
              {
                "name": "Data",
                "value": "mscorlib,2.0.0.0,,b77a5c561934e089"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\DisplayName"
              }
            ],
            "repeated": 0,
            "id": 548
          },
          {
            "timestamp": "2026-04-16 20:00:04,721",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x7384b3c2",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "Status"
              },
              {
                "name": "Data",
                "value": "8198"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\Status"
              }
            ],
            "repeated": 0,
            "id": 549
          },
          {
            "timestamp": "2026-04-16 20:00:04,721",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x7384b3c2",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "Modules"
              },
              {
                "name": "Data",
                "value": "sortkey.nlp|sorttbls.nlp|big5.nlp|bopomofo.nlp|ksc.nlp|prc.nlp|prcp.nlp|xjis.nlp|normidna.nlp|normnfc.nlp|normnfd.nlp|normnfkc.nlp|normnfkd.nlp"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\Modules"
              }
            ],
            "repeated": 0,
            "id": 550
          },
          {
            "timestamp": "2026-04-16 20:00:04,721",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x7384b3c2",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "SIG"
              },
              {
                "name": "Data",
                "value": "\\xb23\\xc7M\\xdf\\xb0\\xb0D\\xba\\xbf+\\xb7\\xcf\\xfd\\xf4\\xab\\x91th\\x7f\\xa9w\\xa2\\xc6\\xae\\xd2Yqa\\xe9\\xe1\\x81\\x9d\\xe9K\\xa9"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\SIG"
              }
            ],
            "repeated": 0,
            "id": 551
          },
          {
            "timestamp": "2026-04-16 20:00:04,721",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x7384b3c2",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "LastModTime"
              },
              {
                "name": "Data",
                "value": "m\\xa7>\\xfb\\x06\\xac\\xdc\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\LastModTime"
              }
            ],
            "repeated": 0,
            "id": 552
          },
          {
            "timestamp": "2026-04-16 20:00:04,721",
            "thread_id": "4344",
            "caller": "0x738c3118",
            "parentcaller": "0x738c2e31",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 553
          },
          {
            "timestamp": "2026-04-16 20:00:04,721",
            "thread_id": "4344",
            "caller": "0x7388a3f3",
            "parentcaller": "0x7388a421",
            "category": "registry",
            "api": "RegCreateKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\Fusion\\GACChangeNotification\\Default"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "Access",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default"
              },
              {
                "name": "Disposition",
                "value": "2",
                "pretty_value": "REG_OPENED_EXISTING_KEY"
              }
            ],
            "repeated": 0,
            "id": 554
          },
          {
            "timestamp": "2026-04-16 20:00:04,721",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x7388422f",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "mscorlib,2.0.0.0,,b77a5c561934e089,x86"
              },
              {
                "name": "Data",
                "value": "m\\xa7>\\xfb\\x06\\xac\\xdc\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86"
              }
            ],
            "repeated": 0,
            "id": 555
          },
          {
            "timestamp": "2026-04-16 20:00:04,721",
            "thread_id": "4344",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 556
          },
          {
            "timestamp": "2026-04-16 20:00:05,393",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\07fedecf3b964c4d26a6ec994226efe4\\mscorlib.ni"
              },
              {
                "name": "DllBase",
                "value": "0x72be0000"
              }
            ],
            "repeated": 0,
            "id": 557
          },
          {
            "timestamp": "2026-04-16 20:00:05,393",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\07fedecf3b964c4d26a6ec994226efe4\\mscorlib.ni.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x72be0000"
              }
            ],
            "repeated": 0,
            "id": 558
          },
          {
            "timestamp": "2026-04-16 20:00:05,393",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x72be0000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\07fedecf3b964c4d26a6ec994226efe4\\mscorlib.ni.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 559
          },
          {
            "timestamp": "2026-04-16 20:00:05,721",
            "thread_id": "4344",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 560
          },
          {
            "timestamp": "2026-04-16 20:00:05,721",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012f0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 561
          },
          {
            "timestamp": "2026-04-16 20:00:05,721",
            "thread_id": "4344",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 2,
            "id": 562
          },
          {
            "timestamp": "2026-04-16 20:00:05,721",
            "thread_id": "4344",
            "caller": "0x7726074f",
            "parentcaller": "0x738817cb",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "MSCORWKS.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x737e0000"
              }
            ],
            "repeated": 0,
            "id": 563
          },
          {
            "timestamp": "2026-04-16 20:00:05,721",
            "thread_id": "4344",
            "caller": "0x7726074f",
            "parentcaller": "0x738817cb",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": false,
            "return": "0xffffffffc0000135",
            "pretty_return": "DLL_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "mscorjit.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x72d80618"
              }
            ],
            "repeated": 0,
            "id": 564
          },
          {
            "timestamp": "2026-04-16 20:00:05,736",
            "thread_id": "4344",
            "caller": "0x77264566",
            "parentcaller": "0x7383bded",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": false,
            "return": "0xffffffffffffffff",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI"
              }
            ],
            "repeated": 0,
            "id": 565
          },
          {
            "timestamp": "2026-04-16 20:00:05,736",
            "thread_id": "4344",
            "caller": "0x77260b65",
            "parentcaller": "0x73889acc",
            "category": "synchronization",
            "api": "NtOpenMutant",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "MutexName",
                "value": "Global\\CLR_CASOFF_MUTEX"
              }
            ],
            "repeated": 0,
            "id": 566
          },
          {
            "timestamp": "2026-04-16 20:00:05,893",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f90000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 567
          },
          {
            "timestamp": "2026-04-16 20:00:05,986",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f72000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 568
          },
          {
            "timestamp": "2026-04-16 20:00:06,252",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x06a82000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 569
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 570
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000248"
              },
              {
                "name": "Milliseconds",
                "value": "3000"
              }
            ],
            "repeated": 0,
            "id": 571
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77265900",
            "parentcaller": "0x738d8c84",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000248"
              }
            ],
            "repeated": 0,
            "id": 572
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 573
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77262ba1",
            "parentcaller": "0x76ace2b9",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 574
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77264429",
            "parentcaller": "0x76ace2c9",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 575
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77264566",
            "parentcaller": "0x76ace434",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x012dea30",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0x3a6eea36"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acdd"
              }
            ],
            "repeated": 0,
            "id": 576
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77275d68",
            "parentcaller": "0x76ace44d",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000378"
              }
            ],
            "repeated": 0,
            "id": 577
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77264566",
            "parentcaller": "0x76ace434",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x012de6b0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xb450bd8e"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01dcac11"
              }
            ],
            "repeated": 0,
            "id": 578
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77275d68",
            "parentcaller": "0x76ace44d",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000378"
              }
            ],
            "repeated": 0,
            "id": 579
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77264566",
            "parentcaller": "0x76ace434",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x012de7b0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xb45caeb0"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01dcac11"
              }
            ],
            "repeated": 0,
            "id": 580
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77275d68",
            "parentcaller": "0x76ace44d",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000378"
              }
            ],
            "repeated": 0,
            "id": 581
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77264566",
            "parentcaller": "0x76ace434",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x012debf0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xb45f137b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01dcac11"
              }
            ],
            "repeated": 0,
            "id": 582
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77275d68",
            "parentcaller": "0x76ace44d",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000378"
              }
            ],
            "repeated": 0,
            "id": 583
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77264566",
            "parentcaller": "0x76ace434",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x012deab0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xb45f137b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01dcac11"
              }
            ],
            "repeated": 0,
            "id": 584
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77275d68",
            "parentcaller": "0x76ace44d",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000378"
              }
            ],
            "repeated": 0,
            "id": 585
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77264566",
            "parentcaller": "0x76ace434",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x012dec30",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0x57b0ced7"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01dcacc6"
              }
            ],
            "repeated": 0,
            "id": 586
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77275d68",
            "parentcaller": "0x76ace44d",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000378"
              }
            ],
            "repeated": 0,
            "id": 587
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77262ba1",
            "parentcaller": "0x76ace569",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 588
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 589
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77262ba1",
            "parentcaller": "0x76ac6d31",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 590
          },
          {
            "timestamp": "2026-04-16 20:00:06,346",
            "thread_id": "4344",
            "caller": "0x77264429",
            "parentcaller": "0x76ac6d41",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 591
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77262ba1",
            "parentcaller": "0x76ac7095",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 592
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 2,
            "id": 593
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LdrLoadDll",
            "status": false,
            "return": "0xffffffffc0000135",
            "pretty_return": "DLL_NOT_FOUND",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 594
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 595
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x772628b2",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ole32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77060000"
              }
            ],
            "repeated": 0,
            "id": 596
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ole32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77060000"
              },
              {
                "name": "FunctionName",
                "value": "CoInitializeEx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77bfd0d0"
              }
            ],
            "repeated": 0,
            "id": 597
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x772656f1",
            "parentcaller": "0x77be835f",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": false,
            "return": "0xffffffffc0000135",
            "pretty_return": "DLL_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\system32\\rpcss.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x0000001e"
              }
            ],
            "repeated": 0,
            "id": 598
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77c708e6",
            "parentcaller": "0x77c70886",
            "category": "misc",
            "api": "NtQuerySystemInformation",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemInformationClass",
                "value": "0",
                "pretty_value": "FILE_SUPERSEDE"
              }
            ],
            "repeated": 0,
            "id": 599
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77e8ff5f",
            "parentcaller": "0x77e8fe54",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77d97000"
              },
              {
                "name": "ModuleName",
                "value": "combase.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 600
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77e8ff94",
            "parentcaller": "0x77e8fe54",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77d97000"
              },
              {
                "name": "ModuleName",
                "value": "combase.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 601
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77e9112f",
            "parentcaller": "0x77e8f0c9",
            "category": "process",
            "api": "NtOpenSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000384"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "bcryptPrimitives.dll"
              }
            ],
            "repeated": 0,
            "id": 602
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77e912bc",
            "parentcaller": "0x77e91427",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000384"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76d80000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x0005f000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 603
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77ea1ee8",
            "parentcaller": "0x77ea1e71",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 604
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77ea1ee8",
            "parentcaller": "0x77ea1ea1",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 605
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77e79ddb",
            "parentcaller": "0x77e8b530",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76dda000"
              },
              {
                "name": "ModuleName",
                "value": "bcryptPrimitives.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 606
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77e8f149",
            "parentcaller": "0x77e923c8",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000384"
              }
            ],
            "repeated": 0,
            "id": 607
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77e90da0",
            "parentcaller": "0x77e7e523",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76dda000"
              },
              {
                "name": "ModuleName",
                "value": "bcryptPrimitives.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 608
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x750d9851",
            "parentcaller": "0x750d8c22",
            "category": "misc",
            "api": "RtlDosPathNameToNtPathName_U",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DosFileName",
                "value": "C:\\Windows\\System32\\bcryptPrimitives.dll"
              }
            ],
            "repeated": 0,
            "id": 609
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x750d9890",
            "parentcaller": "0x750d8c22",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000384"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020000",
                "pretty_value": "READ_CONTROL"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\bcryptPrimitives.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 610
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x750d9931",
            "parentcaller": "0x750d8c22",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000384"
              }
            ],
            "repeated": 0,
            "id": 611
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x750d9931",
            "parentcaller": "0x750d8c22",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\System32\\bcryptPrimitives"
              },
              {
                "name": "DllBase",
                "value": "0x76d80000"
              }
            ],
            "repeated": 0,
            "id": 612
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x76db3a14",
            "parentcaller": "0x76da92e7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000038c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy"
              }
            ],
            "repeated": 0,
            "id": 613
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x76db3a31",
            "parentcaller": "0x76da92e7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000038c"
              },
              {
                "name": "ValueName",
                "value": "STE"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE"
              }
            ],
            "repeated": 0,
            "id": 614
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x76db3a5f",
            "parentcaller": "0x76da92e7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000038c"
              }
            ],
            "repeated": 0,
            "id": 615
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x76da9836",
            "parentcaller": "0x76da973c",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000038c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy"
              }
            ],
            "repeated": 0,
            "id": 616
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x76da9858",
            "parentcaller": "0x76da973c",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000038c"
              },
              {
                "name": "ValueName",
                "value": "Enabled"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled"
              }
            ],
            "repeated": 0,
            "id": 617
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x76da98e5",
            "parentcaller": "0x76da973c",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000390"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa"
              }
            ],
            "repeated": 0,
            "id": 618
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x76da9907",
            "parentcaller": "0x76da973c",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000390"
              },
              {
                "name": "ValueName",
                "value": "FipsAlgorithmPolicy"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy"
              }
            ],
            "repeated": 0,
            "id": 619
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x76da995a",
            "parentcaller": "0x76da973c",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000038c"
              },
              {
                "name": "ValueName",
                "value": "MDMEnabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled"
              }
            ],
            "repeated": 0,
            "id": 620
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x76da9985",
            "parentcaller": "0x76da973c",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000038c"
              }
            ],
            "repeated": 0,
            "id": 621
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x76da9993",
            "parentcaller": "0x76da973c",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000390"
              }
            ],
            "repeated": 0,
            "id": 622
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x76da9790",
            "parentcaller": "0x76da9351",
            "category": "registry",
            "api": "NtOpenKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration"
              }
            ],
            "repeated": 0,
            "id": 623
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x76da96e4",
            "parentcaller": "0x76da9643",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000390"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\Device\\CNG"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 624
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x76da966e",
            "parentcaller": "0x76da95e5",
            "category": "device",
            "api": "DeviceIoControl",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DeviceHandle",
                "value": "0x00000390"
              },
              {
                "name": "IoControlCode",
                "value": "0x00390008",
                "pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER"
              },
              {
                "name": "InBuffer",
                "value": ""
              },
              {
                "name": "OutBuffer",
                "value": "U;r\\xff-M\\x87=\\xf2\\xcfW\\x07\\xfa\\x84Qi\\xcb\\x12?x\\xe4\\x1e\\x18\\xe9r\\x943\\x19\\x04\\xf6\\x99u\\x80\\xa8\\x96\\xdbc\\x10\\x1c,\"Tre\\x87\\xb3\\x04\\xc4"
              }
            ],
            "repeated": 0,
            "id": 625
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x76da966e",
            "parentcaller": "0x76da95e5",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\bcryptprimitives"
              },
              {
                "name": "BaseAddress",
                "value": "0x76d80000"
              },
              {
                "name": "InitRoutine",
                "value": "0x76db36c0"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 626
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77e8ff5f",
            "parentcaller": "0x77e8fe54",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x769b1000"
              },
              {
                "name": "ModuleName",
                "value": "RPCRT4.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 627
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77e8ff94",
            "parentcaller": "0x77e8fe54",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x769b1000"
              },
              {
                "name": "ModuleName",
                "value": "RPCRT4.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 628
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012f2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 629
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77e8ff5f",
            "parentcaller": "0x77e8fe54",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77d97000"
              },
              {
                "name": "ModuleName",
                "value": "combase.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 630
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77e8ff94",
            "parentcaller": "0x77e8fe54",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77d97000"
              },
              {
                "name": "ModuleName",
                "value": "combase.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 631
          },
          {
            "timestamp": "2026-04-16 20:00:06,361",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x75d4f2f1",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\system32\\uxtheme"
              },
              {
                "name": "DllBase",
                "value": "0x745d0000"
              }
            ],
            "repeated": 0,
            "id": 632
          },
          {
            "timestamp": "2026-04-16 20:00:06,377",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x75d4f2f1",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\uxtheme.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x745d0000"
              }
            ],
            "repeated": 0,
            "id": 633
          },
          {
            "timestamp": "2026-04-16 20:00:06,377",
            "thread_id": "4344",
            "caller": "0x772696ea",
            "parentcaller": "0x75d4f331",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "uxtheme.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x745d0000"
              },
              {
                "name": "FunctionName",
                "value": "ThemeInitApiHook"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x74604330"
              }
            ],
            "repeated": 0,
            "id": 634
          },
          {
            "timestamp": "2026-04-16 20:00:06,377",
            "thread_id": "4344",
            "caller": "0x7460456c",
            "parentcaller": "0x7460434f",
            "category": "system",
            "api": "IsDebuggerPresent",
            "status": false,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 635
          },
          {
            "timestamp": "2026-04-16 20:00:06,377",
            "thread_id": "4344",
            "caller": "0x77e93999",
            "parentcaller": "0x77e6d7e4",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "1"
              },
              {
                "name": "TokenInformation",
                "value": "p\\xea\\x0f\\x01\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0>`t\\xc7z\\xc4y\\x08\\xeb\\x0f\\x01\\xe1>`t"
              }
            ],
            "repeated": 0,
            "id": 636
          },
          {
            "timestamp": "2026-04-16 20:00:06,377",
            "thread_id": "4344",
            "caller": "0x77e6d817",
            "parentcaller": "0x7727b6b7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000394"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER"
              }
            ],
            "repeated": 0,
            "id": 637
          },
          {
            "timestamp": "2026-04-16 20:00:06,377",
            "thread_id": "4344",
            "caller": "0x77257324",
            "parentcaller": "0x77256e95",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000398"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000394"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize"
              }
            ],
            "repeated": 0,
            "id": 638
          },
          {
            "timestamp": "2026-04-16 20:00:06,377",
            "thread_id": "4344",
            "caller": "0x77256a63",
            "parentcaller": "0x77256853",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000398"
              },
              {
                "name": "ValueName",
                "value": "AppsUseLightTheme"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme"
              }
            ],
            "repeated": 0,
            "id": 639
          },
          {
            "timestamp": "2026-04-16 20:00:06,377",
            "thread_id": "4344",
            "caller": "0x77257f8b",
            "parentcaller": "0x7725632a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000398"
              }
            ],
            "repeated": 0,
            "id": 640
          },
          {
            "timestamp": "2026-04-16 20:00:06,377",
            "thread_id": "4344",
            "caller": "0x77257f8b",
            "parentcaller": "0x7460451b",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000394"
              }
            ],
            "repeated": 0,
            "id": 641
          },
          {
            "timestamp": "2026-04-16 20:00:06,377",
            "thread_id": "4344",
            "caller": "0x7726074f",
            "parentcaller": "0x7386cc0a",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 642
          },
          {
            "timestamp": "2026-04-16 20:00:06,377",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "QueryActCtxW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ac8760"
              }
            ],
            "repeated": 0,
            "id": 643
          },
          {
            "timestamp": "2026-04-16 20:00:06,377",
            "thread_id": "6048",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ole32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77060000"
              }
            ],
            "repeated": 0,
            "id": 644
          },
          {
            "timestamp": "2026-04-16 20:00:06,377",
            "thread_id": "6048",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x77060000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "ole32.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 645
          },
          {
            "timestamp": "2026-04-16 20:00:06,377",
            "thread_id": "6048",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ole32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77060000"
              },
              {
                "name": "FunctionName",
                "value": "CoGetContextToken"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77c72020"
              }
            ],
            "repeated": 0,
            "id": 646
          },
          {
            "timestamp": "2026-04-16 20:00:06,377",
            "thread_id": "6048",
            "caller": "0x772627d9",
            "parentcaller": "0x737e58bd",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 647
          },
          {
            "timestamp": "2026-04-16 20:00:06,377",
            "thread_id": "6048",
            "caller": "0x772627d9",
            "parentcaller": "0x737e58bd",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000340"
              },
              {
                "name": "Milliseconds",
                "value": "2000"
              }
            ],
            "repeated": 0,
            "id": 648
          },
          {
            "timestamp": "2026-04-16 20:00:06,518",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012f6000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 649
          },
          {
            "timestamp": "2026-04-16 20:00:06,518",
            "thread_id": "4344",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 650
          },
          {
            "timestamp": "2026-04-16 20:00:06,596",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012f7000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 651
          },
          {
            "timestamp": "2026-04-16 20:00:06,596",
            "thread_id": "4344",
            "caller": "0x73910bc8",
            "parentcaller": "0x738d69ba",
            "category": "filesystem",
            "api": "UrlCanonicalizeW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Url",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\"
              }
            ],
            "repeated": 0,
            "id": 652
          },
          {
            "timestamp": "2026-04-16 20:00:06,596",
            "thread_id": "4344",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e523f8",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework\\Policy\\AppPatch"
              },
              {
                "name": "Handle",
                "value": "0x000003a4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\AppPatch"
              }
            ],
            "repeated": 0,
            "id": 653
          },
          {
            "timestamp": "2026-04-16 20:00:06,596",
            "thread_id": "4344",
            "caller": "0x77277bae",
            "parentcaller": "0x73e52c0b",
            "category": "filesystem",
            "api": "NtQueryFullAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319"
              }
            ],
            "repeated": 0,
            "id": 654
          },
          {
            "timestamp": "2026-04-16 20:00:06,596",
            "thread_id": "4344",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e523f8",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000003a4"
              },
              {
                "name": "SubKey",
                "value": "v4.0.30319.00000"
              },
              {
                "name": "Handle",
                "value": "0x000003a8"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\AppPatch\\v4.0.30319.00000"
              }
            ],
            "repeated": 0,
            "id": 655
          },
          {
            "timestamp": "2026-04-16 20:00:06,596",
            "thread_id": "4344",
            "caller": "0x73e1760b",
            "parentcaller": "0x73e50f0e",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003a4"
              }
            ],
            "repeated": 0,
            "id": 656
          },
          {
            "timestamp": "2026-04-16 20:00:06,596",
            "thread_id": "4344",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e523f8",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000003a8"
              },
              {
                "name": "SubKey",
                "value": "mscorwks.dll"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\AppPatch\\v4.0.30319.00000\\mscorwks.dll"
              }
            ],
            "repeated": 0,
            "id": 657
          },
          {
            "timestamp": "2026-04-16 20:00:06,596",
            "thread_id": "4344",
            "caller": "0x73e1760b",
            "parentcaller": "0x73e50b0a",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003a8"
              }
            ],
            "repeated": 0,
            "id": 658
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x758a5bf1",
            "parentcaller": "0x757e6154",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 659
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x758a5bf1",
            "parentcaller": "0x757e6154",
            "category": "filesystem",
            "api": "SHGetFolderPathW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Folder",
                "value": "0x00000020",
                "pretty_value": "CSIDL_INTERNET_CACHE"
              },
              {
                "name": "Path",
                "value": "C:\\Users\\cape\\AppData\\Local\\Microsoft\\Windows\\INetCache"
              }
            ],
            "repeated": 0,
            "id": 660
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 2,
            "id": 661
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012f9000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 662
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x77264429",
            "parentcaller": "0x7383db34",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.config"
              }
            ],
            "repeated": 0,
            "id": 663
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x77277bae",
            "parentcaller": "0x73910d86",
            "category": "filesystem",
            "api": "NtQueryFullAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              }
            ],
            "repeated": 1,
            "id": 664
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32"
              },
              {
                "name": "Handle",
                "value": "0x000003b0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32"
              }
            ],
            "repeated": 0,
            "id": 665
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x73832c2e",
            "parentcaller": "0x738d455e",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003b0"
              },
              {
                "name": "ValueName",
                "value": "LatestIndex"
              },
              {
                "name": "Data",
                "value": "12"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex"
              }
            ],
            "repeated": 0,
            "id": 666
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x738d4593",
            "parentcaller": "0x738d471e",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003b0"
              }
            ],
            "repeated": 0,
            "id": 667
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\67ab48b3\\5693386e"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\67ab48b3\\5693386e"
              }
            ],
            "repeated": 0,
            "id": 668
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 669
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x77264566",
            "parentcaller": "0x7383bded",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": false,
            "return": "0xffffffffffffffff",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.INI"
              }
            ],
            "repeated": 0,
            "id": 670
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f70000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 671
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02fc0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 672
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02fc0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000c000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 673
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02fcc000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 674
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f73000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 675
          },
          {
            "timestamp": "2026-04-16 20:00:06,705",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02fcd000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 676
          },
          {
            "timestamp": "2026-04-16 20:00:06,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 677
          },
          {
            "timestamp": "2026-04-16 20:00:06,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x76ab0000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "kernel32.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 678
          },
          {
            "timestamp": "2026-04-16 20:00:06,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02fce000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 679
          },
          {
            "timestamp": "2026-04-16 20:00:06,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetFullPathName"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 680
          },
          {
            "timestamp": "2026-04-16 20:00:06,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetFullPathNameW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad33d0"
              }
            ],
            "repeated": 0,
            "id": 681
          },
          {
            "timestamp": "2026-04-16 20:00:06,846",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02fab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 682
          },
          {
            "timestamp": "2026-04-16 20:00:06,846",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02fa7000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 683
          },
          {
            "timestamp": "2026-04-16 20:00:06,846",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05a82000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 684
          },
          {
            "timestamp": "2026-04-16 20:00:06,893",
            "thread_id": "4344",
            "caller": "0x772765db",
            "parentcaller": "0x73947ec0",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x00000228"
              },
              {
                "name": "ThreadInformationClass",
                "value": "0",
                "pretty_value": "ThreadBasicInformation"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x03\\x01\\x00\\x00\\x00\\x10\\xe3\\x00\\x04\\x1e\\x00\\x00\\xf8\\x10\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 685
          },
          {
            "timestamp": "2026-04-16 20:00:07,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetVersionEx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 686
          },
          {
            "timestamp": "2026-04-16 20:00:07,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetVersionExW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad18a0"
              }
            ],
            "repeated": 0,
            "id": 687
          },
          {
            "timestamp": "2026-04-16 20:00:07,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetVersionEx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 688
          },
          {
            "timestamp": "2026-04-16 20:00:07,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetVersionExW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad18a0"
              }
            ],
            "repeated": 0,
            "id": 689
          },
          {
            "timestamp": "2026-04-16 20:00:07,299",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 690
          },
          {
            "timestamp": "2026-04-16 20:00:07,377",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003ac"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\l_intl.nls"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 691
          },
          {
            "timestamp": "2026-04-16 20:00:07,377",
            "thread_id": "4344",
            "caller": "0x7727081d",
            "parentcaller": "0x73887c47",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003ac"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\SysWOW64\\l_intl.nls"
              },
              {
                "name": "FileInformationClass",
                "value": "5",
                "pretty_value": "FileStandardInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\xc6&\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 692
          },
          {
            "timestamp": "2026-04-16 20:00:07,377",
            "thread_id": "4344",
            "caller": "0x77260e58",
            "parentcaller": "0x77260abe",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000003a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000003ac"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\l_intl.nls"
              }
            ],
            "repeated": 0,
            "id": 693
          },
          {
            "timestamp": "2026-04-16 20:00:07,377",
            "thread_id": "4344",
            "caller": "0x7726f16b",
            "parentcaller": "0x73887c8b",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000003a8"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02fd0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fe448"
              },
              {
                "name": "ViewSize",
                "value": "0x00003000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 694
          },
          {
            "timestamp": "2026-04-16 20:00:07,377",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73887c9a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003ac"
              }
            ],
            "repeated": 0,
            "id": 695
          },
          {
            "timestamp": "2026-04-16 20:00:07,377",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73887c9d",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003a8"
              }
            ],
            "repeated": 0,
            "id": 696
          },
          {
            "timestamp": "2026-04-16 20:00:07,439",
            "thread_id": "4344",
            "caller": "0x73938391",
            "parentcaller": "0x739383dd",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 697
          },
          {
            "timestamp": "2026-04-16 20:00:07,439",
            "thread_id": "4344",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 698
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7727081d",
            "parentcaller": "0x73833265",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003a8"
              },
              {
                "name": "HandleName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "FileInformationClass",
                "value": "5",
                "pretty_value": "FileStandardInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x00\\x10\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x16\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 699
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x77260e58",
            "parentcaller": "0x77260abe",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000003ac"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000003a8"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 700
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7727675b",
            "parentcaller": "0x7727669e",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000003ac"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07dc0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010feca8"
              },
              {
                "name": "ViewSize",
                "value": "0x00161000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 701
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "AdvApi32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x76ea0000"
              }
            ],
            "repeated": 0,
            "id": 702
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x76ea0000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "AdvApi32.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 703
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CryptAcquireContextA"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebfc30"
              }
            ],
            "repeated": 0,
            "id": 704
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CryptReleaseContext"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebf5c0"
              }
            ],
            "repeated": 0,
            "id": 705
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CryptCreateHash"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebef10"
              }
            ],
            "repeated": 0,
            "id": 706
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CryptDestroyHash"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebf440"
              }
            ],
            "repeated": 0,
            "id": 707
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CryptHashData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebf130"
              }
            ],
            "repeated": 0,
            "id": 708
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CryptGetHashParam"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebec70"
              }
            ],
            "repeated": 0,
            "id": 709
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CryptImportKey"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebf0f0"
              }
            ],
            "repeated": 0,
            "id": 710
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CryptExportKey"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebf110"
              }
            ],
            "repeated": 0,
            "id": 711
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CryptGenKey"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ec46f0"
              }
            ],
            "repeated": 0,
            "id": 712
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CryptGetKeyParam"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ed4820"
              }
            ],
            "repeated": 0,
            "id": 713
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CryptDestroyKey"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebf4a0"
              }
            ],
            "repeated": 0,
            "id": 714
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CryptVerifySignatureA"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ed49a0"
              }
            ],
            "repeated": 0,
            "id": 715
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CryptSignHashA"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ed4960"
              }
            ],
            "repeated": 0,
            "id": 716
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CryptGetProvParam"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ed4840"
              }
            ],
            "repeated": 0,
            "id": 717
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CryptGetUserKey"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ed4860"
              }
            ],
            "repeated": 0,
            "id": 718
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CryptEnumProvidersA"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ed47c0"
              }
            ],
            "repeated": 0,
            "id": 719
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7388680d",
            "parentcaller": "0x738869a8",
            "category": "registry",
            "api": "RegOpenKeyExA",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\StrongName"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName"
              }
            ],
            "repeated": 0,
            "id": 720
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "mscoree.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x74160000"
              }
            ],
            "repeated": 0,
            "id": 721
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x74160000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "mscoree.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 722
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              },
              {
                "name": "FunctionName",
                "value": "GetMetaDataInternalInterface"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x74173190"
              }
            ],
            "repeated": 0,
            "id": 723
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "GetMetaDataInternalInterface_RetAddr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 724
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "GetMetaDataInternalInterface"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e40220"
              }
            ],
            "repeated": 0,
            "id": 725
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscorwks.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x737e0000"
              },
              {
                "name": "FunctionName",
                "value": "GetMetaDataInternalInterface"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73847f3b"
              }
            ],
            "repeated": 0,
            "id": 726
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x77270c75",
            "parentcaller": "0x738472ac",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07dc0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00161000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 727
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73913dfd",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003ac"
              }
            ],
            "repeated": 0,
            "id": 728
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x7726269a",
            "parentcaller": "0x73913e09",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003a8"
              }
            ],
            "repeated": 0,
            "id": 729
          },
          {
            "timestamp": "2026-04-16 20:00:07,455",
            "thread_id": "4344",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f7c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 730
          },
          {
            "timestamp": "2026-04-16 20:00:07,861",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "__notification__",
            "api": "sysenter",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadIdentifier",
                "value": "4344"
              },
              {
                "name": "Module",
                "value": "KERNEL32.dll"
              },
              {
                "name": "Return Address",
                "value": "0x76ad24ac"
              }
            ],
            "repeated": 0,
            "id": 731
          },
          {
            "timestamp": "2026-04-16 20:00:07,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit"
              },
              {
                "name": "DllBase",
                "value": "0x72b80000"
              }
            ],
            "repeated": 0,
            "id": 732
          },
          {
            "timestamp": "2026-04-16 20:00:08,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x72b80000"
              }
            ],
            "repeated": 0,
            "id": 733
          },
          {
            "timestamp": "2026-04-16 20:00:08,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x72b80000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 734
          },
          {
            "timestamp": "2026-04-16 20:00:08,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscorjit.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x72b80000"
              },
              {
                "name": "FunctionName",
                "value": "getJit"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x72bc93fe"
              }
            ],
            "repeated": 0,
            "id": 735
          },
          {
            "timestamp": "2026-04-16 20:00:08,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 736
          },
          {
            "timestamp": "2026-04-16 20:00:08,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "IsWow64Process"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad06e0"
              }
            ],
            "repeated": 0,
            "id": 737
          },
          {
            "timestamp": "2026-04-16 20:00:08,127",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05720000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 738
          },
          {
            "timestamp": "2026-04-16 20:00:08,252",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012fc000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 739
          },
          {
            "timestamp": "2026-04-16 20:00:08,252",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f74000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 740
          },
          {
            "timestamp": "2026-04-16 20:00:08,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07c60000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 741
          },
          {
            "timestamp": "2026-04-16 20:00:08,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x00000000",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07c60000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 742
          },
          {
            "timestamp": "2026-04-16 20:00:09,205",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f9a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 743
          },
          {
            "timestamp": "2026-04-16 20:00:09,424",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c601b8",
            "category": "system",
            "api": "GetUserDefaultLCID",
            "status": true,
            "return": "0x00000419",
            "arguments": [
              {
                "name": "SystemDefaultLangID",
                "value": "0x00000419"
              },
              {
                "name": "LanguageName",
                "value": "Russian"
              }
            ],
            "repeated": 0,
            "id": 744
          },
          {
            "timestamp": "2026-04-16 20:00:09,424",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c601b8",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Globalization\\ru-ru.nlp"
              }
            ],
            "repeated": 0,
            "id": 745
          },
          {
            "timestamp": "2026-04-16 20:00:09,424",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c601b8",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 746
          },
          {
            "timestamp": "2026-04-16 20:00:09,424",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c601b8",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetUserDefaultUILanguage"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad1f60"
              }
            ],
            "repeated": 0,
            "id": 747
          },
          {
            "timestamp": "2026-04-16 20:00:09,549",
            "thread_id": "4344",
            "caller": "0x02f623e7",
            "parentcaller": "0x07c601b8",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 748
          },
          {
            "timestamp": "2026-04-16 20:00:09,549",
            "thread_id": "4344",
            "caller": "0x02f623e7",
            "parentcaller": "0x07c601b8",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 749
          },
          {
            "timestamp": "2026-04-16 20:00:09,549",
            "thread_id": "4344",
            "caller": "0x02f623e7",
            "parentcaller": "0x07c601b8",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003bc"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp"
              },
              {
                "name": "FileInformationClass",
                "value": "5",
                "pretty_value": "FileStandardInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x00P\\x00\\x00\\x00\\x00\\x00\\x00`O\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 750
          },
          {
            "timestamp": "2026-04-16 20:00:09,549",
            "thread_id": "4344",
            "caller": "0x02f623e7",
            "parentcaller": "0x07c601b8",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000003b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000003bc"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp"
              }
            ],
            "repeated": 0,
            "id": 751
          },
          {
            "timestamp": "2026-04-16 20:00:09,549",
            "thread_id": "4344",
            "caller": "0x02f623e7",
            "parentcaller": "0x07c601b8",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000003b8"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07c70000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fccd8"
              },
              {
                "name": "ViewSize",
                "value": "0x00005000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 752
          },
          {
            "timestamp": "2026-04-16 20:00:09,549",
            "thread_id": "4344",
            "caller": "0x02f623e7",
            "parentcaller": "0x07c601b8",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 753
          },
          {
            "timestamp": "2026-04-16 20:00:09,689",
            "thread_id": "4344",
            "caller": "0x02f623e7",
            "parentcaller": "0x07c601b8",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f92000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 754
          },
          {
            "timestamp": "2026-04-16 20:00:09,830",
            "thread_id": "4344",
            "caller": "0x07c601b8",
            "parentcaller": "0x05730626",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 755
          },
          {
            "timestamp": "2026-04-16 20:00:09,846",
            "thread_id": "4344",
            "caller": "0x07c601b8",
            "parentcaller": "0x05730626",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 756
          },
          {
            "timestamp": "2026-04-16 20:00:09,846",
            "thread_id": "4344",
            "caller": "0x07c601b8",
            "parentcaller": "0x05730626",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c0"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp"
              },
              {
                "name": "FileInformationClass",
                "value": "5",
                "pretty_value": "FileStandardInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x00\\x10\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 757
          },
          {
            "timestamp": "2026-04-16 20:00:09,846",
            "thread_id": "4344",
            "caller": "0x07c601b8",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000003a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000003c0"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp"
              }
            ],
            "repeated": 0,
            "id": 758
          },
          {
            "timestamp": "2026-04-16 20:00:09,846",
            "thread_id": "4344",
            "caller": "0x07c601b8",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000003a8"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07c80000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd8d0"
              },
              {
                "name": "ViewSize",
                "value": "0x00041000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 759
          },
          {
            "timestamp": "2026-04-16 20:00:09,846",
            "thread_id": "4344",
            "caller": "0x07c601b8",
            "parentcaller": "0x05730626",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 760
          },
          {
            "timestamp": "2026-04-16 20:00:10,002",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\Fusion\\PublisherPolicy\\Default"
              },
              {
                "name": "Handle",
                "value": "0x000003b0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default"
              }
            ],
            "repeated": 0,
            "id": 761
          },
          {
            "timestamp": "2026-04-16 20:00:10,002",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003b0"
              },
              {
                "name": "ValueName",
                "value": "Latest"
              },
              {
                "name": "Data",
                "value": "5"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest"
              }
            ],
            "repeated": 0,
            "id": 762
          },
          {
            "timestamp": "2026-04-16 20:00:10,002",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003b4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\pubpol5.dat"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 763
          },
          {
            "timestamp": "2026-04-16 20:00:10,002",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003b0"
              },
              {
                "name": "ValueName",
                "value": "index5"
              },
              {
                "name": "Data",
                "value": "\\x1f"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index5"
              }
            ],
            "repeated": 0,
            "id": 764
          },
          {
            "timestamp": "2026-04-16 20:00:10,002",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003b0"
              },
              {
                "name": "ValueName",
                "value": "LegacyPolicyTimeStamp"
              },
              {
                "name": "Data",
                "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp"
              }
            ],
            "repeated": 0,
            "id": 765
          },
          {
            "timestamp": "2026-04-16 20:00:10,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "filesystem",
            "api": "NtQueryFullAttributesFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme"
              }
            ],
            "repeated": 0,
            "id": 766
          },
          {
            "timestamp": "2026-04-16 20:00:10,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "filesystem",
            "api": "NtQueryFullAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              }
            ],
            "repeated": 0,
            "id": 767
          },
          {
            "timestamp": "2026-04-16 20:00:10,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003a4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 768
          },
          {
            "timestamp": "2026-04-16 20:00:10,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x012ff000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 769
          },
          {
            "timestamp": "2026-04-16 20:00:10,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003a4"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              },
              {
                "name": "Buffer",
                "value": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!--\r\n    Please refer to machine.config.comments for a description and\r\n    the default values of each configuration section.\r\n\r\n    For a full documentation of the schema please refer to\r\n    http://go.microsoft.com/"
              },
              {
                "name": "Length",
                "value": "4095"
              }
            ],
            "repeated": 0,
            "id": 770
          },
          {
            "timestamp": "2026-04-16 20:00:10,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01302000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 771
          },
          {
            "timestamp": "2026-04-16 20:00:10,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003a4"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              },
              {
                "name": "Buffer",
                "value": "7a5c561934e089\">\r\n            <section name=\"schemaImporterExtensions\" type=\"System.Xml.Serialization.Configuration.SchemaImporterExtensionsSection, System.Xml, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"/>\r\n            <section name"
              },
              {
                "name": "Length",
                "value": "18712"
              }
            ],
            "repeated": 0,
            "id": 772
          },
          {
            "timestamp": "2026-04-16 20:00:10,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003a4"
              }
            ],
            "repeated": 0,
            "id": 773
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000003b0"
              },
              {
                "name": "SubKey",
                "value": "policy.2.0.System__b77a5c561934e089"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089"
              }
            ],
            "repeated": 0,
            "id": 774
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\30bc7c4f\\3f50fe4f"
              },
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f"
              }
            ],
            "repeated": 0,
            "id": 775
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "Index",
                "value": "0"
              },
              {
                "name": "Name",
                "value": "8"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8"
              }
            ],
            "repeated": 0,
            "id": 776
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": false,
            "return": "0x00000103",
            "pretty_return": "NO_MORE_ITEMS",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "Index",
                "value": "1"
              },
              {
                "name": "Name",
                "value": ""
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\"
              }
            ],
            "repeated": 0,
            "id": 777
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 778
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\30bc7c4f\\3f50fe4f\\8"
              },
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8"
              }
            ],
            "repeated": 0,
            "id": 779
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "DisplayName"
              },
              {
                "name": "Data",
                "value": "System,2.0.0.0,,b77a5c561934e089"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\DisplayName"
              }
            ],
            "repeated": 0,
            "id": 780
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "ConfigMask"
              },
              {
                "name": "Data",
                "value": "4361"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\ConfigMask"
              }
            ],
            "repeated": 0,
            "id": 781
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "ConfigString"
              },
              {
                "name": "Data",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\ConfigString"
              }
            ],
            "repeated": 0,
            "id": 782
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "MVID"
              },
              {
                "name": "Data",
                "value": "\\xc6\r\\xd1\\xee\\x84;\\xa8\\xff\\x9e\\xe7\\xed\\xcdc\\x029;"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\MVID"
              }
            ],
            "repeated": 0,
            "id": 783
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 784
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\30bc7c4f\\3f50fe4f\\8"
              },
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8"
              }
            ],
            "repeated": 0,
            "id": 785
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "EvalationData"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\EvalationData"
              }
            ],
            "repeated": 0,
            "id": 786
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Status"
              },
              {
                "name": "Data",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\Status"
              }
            ],
            "repeated": 0,
            "id": 787
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "ILDependencies"
              },
              {
                "name": "Data",
                "value": "\\xd8\\xd4KB\\xd5\\x04\\xc5\\x0c\\x06\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00W\\x8d\\xab\\x19t&\\xa3.\\x07\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00O\\xfeP?\\xe6\\xad\\xb2G\\x08\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\ILDependencies"
              }
            ],
            "repeated": 0,
            "id": 788
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "NIDependencies"
              },
              {
                "name": "Data",
                "value": "\\xc68\\x19\\x18\\xc5\\xe2Py\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\NIDependencies"
              }
            ],
            "repeated": 0,
            "id": 789
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "MissingDependencies"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\MissingDependencies"
              }
            ],
            "repeated": 0,
            "id": 790
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 791
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "IL\\424bd4d8\\cc504d5\\6"
              },
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6"
              }
            ],
            "repeated": 0,
            "id": 792
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "DisplayName"
              },
              {
                "name": "Data",
                "value": "System.Configuration,2.0.0.0,,b03f5f7f11d50a3a"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\DisplayName"
              }
            ],
            "repeated": 0,
            "id": 793
          },
          {
            "timestamp": "2026-04-16 20:00:10,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Status"
              },
              {
                "name": "Data",
                "value": "4098"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\Status"
              }
            ],
            "repeated": 0,
            "id": 794
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Modules"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\Modules"
              }
            ],
            "repeated": 0,
            "id": 795
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "SIG"
              },
              {
                "name": "Data",
                "value": ";\\xf2\\x93\\x1d\\xca\\xffYI\\xab\\xdc&X\\x07\\xe4$-!M\\xd0D\\x87\\xd2\\xcbu\\xd7)\\x06\\xd2\\xf2\\x1b\\x07\n{\\xefi\\xab"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\SIG"
              }
            ],
            "repeated": 0,
            "id": 796
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "LastModTime"
              },
              {
                "name": "Data",
                "value": "Zk\\xb2'\\x07\\xac\\xdc\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\LastModTime"
              }
            ],
            "repeated": 0,
            "id": 797
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 798
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "IL\\19ab8d57\\2ea32674\\7"
              },
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7"
              }
            ],
            "repeated": 0,
            "id": 799
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "DisplayName"
              },
              {
                "name": "Data",
                "value": "System.Xml,2.0.0.0,,b77a5c561934e089"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\DisplayName"
              }
            ],
            "repeated": 0,
            "id": 800
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Status"
              },
              {
                "name": "Data",
                "value": "4098"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\Status"
              }
            ],
            "repeated": 0,
            "id": 801
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Modules"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\Modules"
              }
            ],
            "repeated": 0,
            "id": 802
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "SIG"
              },
              {
                "name": "Data",
                "value": "\\xb2\\x1aNYhyhC\\xa1\\xe5\\x96\\xe9\\x9a\\xf9@\\xad\\x19-\\x99{\\x90v\\xc4\\xa3+&d\\x93s{\\x8e\\xce\\x92\\x18\\xc5\\xc6"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\SIG"
              }
            ],
            "repeated": 0,
            "id": 803
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "LastModTime"
              },
              {
                "name": "Data",
                "value": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\LastModTime"
              }
            ],
            "repeated": 0,
            "id": 804
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 805
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "IL\\3f50fe4f\\47b2ade6\\8"
              },
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8"
              }
            ],
            "repeated": 0,
            "id": 806
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "DisplayName"
              },
              {
                "name": "Data",
                "value": "System,2.0.0.0,,b77a5c561934e089"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\DisplayName"
              }
            ],
            "repeated": 0,
            "id": 807
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Status"
              },
              {
                "name": "Data",
                "value": "4098"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\Status"
              }
            ],
            "repeated": 0,
            "id": 808
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Modules"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\Modules"
              }
            ],
            "repeated": 0,
            "id": 809
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "SIG"
              },
              {
                "name": "Data",
                "value": "\\xd40\\\\x82\\xcf\\xa4LF\\xb7\\xeb\\xb8\\x14XT\\xd1\\xf81\\x82\\x8d\\xfa\\x12E\\x8d}\\x7f\\x90'\\xf5\\xa5\\x82\\xdb\\x0c\\x14c\\x12\\x1a"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\SIG"
              }
            ],
            "repeated": 0,
            "id": 810
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "LastModTime"
              },
              {
                "name": "Data",
                "value": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\LastModTime"
              }
            ],
            "repeated": 0,
            "id": 811
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 812
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "System,2.0.0.0,,b77a5c561934e089,MSIL"
              },
              {
                "name": "Data",
                "value": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL"
              }
            ],
            "repeated": 0,
            "id": 813
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000003b0"
              },
              {
                "name": "SubKey",
                "value": "policy.2.0.System.Xml__b77a5c561934e089"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089"
              }
            ],
            "repeated": 0,
            "id": 814
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "System.Xml,2.0.0.0,,b77a5c561934e089,MSIL"
              },
              {
                "name": "Data",
                "value": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL"
              }
            ],
            "repeated": 0,
            "id": 815
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000003b0"
              },
              {
                "name": "SubKey",
                "value": "policy.2.0.System.Configuration__b03f5f7f11d50a3a"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a"
              }
            ],
            "repeated": 0,
            "id": 816
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
              },
              {
                "name": "Data",
                "value": "Zk\\xb2'\\x07\\xac\\xdc\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
              }
            ],
            "repeated": 0,
            "id": 817
          },
          {
            "timestamp": "2026-04-16 20:00:10,096",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 818
          },
          {
            "timestamp": "2026-04-16 20:00:10,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\c60dd1ee843ba8ff9ee7edcd6302393b\\System.ni"
              },
              {
                "name": "DllBase",
                "value": "0x723d0000"
              }
            ],
            "repeated": 0,
            "id": 819
          },
          {
            "timestamp": "2026-04-16 20:00:10,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\c60dd1ee843ba8ff9ee7edcd6302393b\\System.ni.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x723d0000"
              }
            ],
            "repeated": 0,
            "id": 820
          },
          {
            "timestamp": "2026-04-16 20:00:10,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x723d0000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\c60dd1ee843ba8ff9ee7edcd6302393b\\System.ni.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 821
          },
          {
            "timestamp": "2026-04-16 20:00:10,971",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 3,
            "id": 822
          },
          {
            "timestamp": "2026-04-16 20:00:10,971",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "MSCORWKS.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x737e0000"
              }
            ],
            "repeated": 0,
            "id": 823
          },
          {
            "timestamp": "2026-04-16 20:00:10,971",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "mscorjit.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x72b80000"
              }
            ],
            "repeated": 0,
            "id": 824
          },
          {
            "timestamp": "2026-04-16 20:00:10,971",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": false,
            "return": "0xffffffffffffffff",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI"
              }
            ],
            "repeated": 0,
            "id": 825
          },
          {
            "timestamp": "2026-04-16 20:00:10,971",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA"
              }
            ],
            "repeated": 0,
            "id": 826
          },
          {
            "timestamp": "2026-04-16 20:00:11,268",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f75000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 827
          },
          {
            "timestamp": "2026-04-16 20:00:11,533",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07cd0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 828
          },
          {
            "timestamp": "2026-04-16 20:00:11,533",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ce0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 829
          },
          {
            "timestamp": "2026-04-16 20:00:11,533",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07cf0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 830
          },
          {
            "timestamp": "2026-04-16 20:00:11,533",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d00000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 831
          },
          {
            "timestamp": "2026-04-16 20:00:11,533",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d10000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 832
          },
          {
            "timestamp": "2026-04-16 20:00:11,533",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d20000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 833
          },
          {
            "timestamp": "2026-04-16 20:00:11,533",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d30000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 834
          },
          {
            "timestamp": "2026-04-16 20:00:11,549",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d40000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 835
          },
          {
            "timestamp": "2026-04-16 20:00:11,549",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d50000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 836
          },
          {
            "timestamp": "2026-04-16 20:00:11,549",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d60000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 837
          },
          {
            "timestamp": "2026-04-16 20:00:11,549",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d70000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 838
          },
          {
            "timestamp": "2026-04-16 20:00:11,549",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d80000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 839
          },
          {
            "timestamp": "2026-04-16 20:00:11,549",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d90000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 840
          },
          {
            "timestamp": "2026-04-16 20:00:11,549",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07da0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 841
          },
          {
            "timestamp": "2026-04-16 20:00:11,549",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07dc0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 842
          },
          {
            "timestamp": "2026-04-16 20:00:11,549",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07dd0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 843
          },
          {
            "timestamp": "2026-04-16 20:00:11,549",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 844
          },
          {
            "timestamp": "2026-04-16 20:00:11,549",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07df0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 845
          },
          {
            "timestamp": "2026-04-16 20:00:11,549",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07e00000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 846
          },
          {
            "timestamp": "2026-04-16 20:00:11,549",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07e10000"
              },
              {
                "name": "RegionSize",
                "value": "0x00063000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 847
          },
          {
            "timestamp": "2026-04-16 20:00:11,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07e80000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 848
          },
          {
            "timestamp": "2026-04-16 20:00:11,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07e90000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 849
          },
          {
            "timestamp": "2026-04-16 20:00:11,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ea0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 850
          },
          {
            "timestamp": "2026-04-16 20:00:11,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07eb0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 851
          },
          {
            "timestamp": "2026-04-16 20:00:11,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ec0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 852
          },
          {
            "timestamp": "2026-04-16 20:00:11,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 853
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07c61000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 854
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01307000"
              },
              {
                "name": "RegionSize",
                "value": "0x00007000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 855
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 856
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 857
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ee2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 858
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 859
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ec0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 860
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07eb0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 861
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ea0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 862
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07e90000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 863
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07e80000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 864
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07e10000"
              },
              {
                "name": "RegionSize",
                "value": "0x00063000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 865
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07e00000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 866
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07df0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 867
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 868
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07dd0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 869
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07dc0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 870
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07da0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 871
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d90000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 872
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d80000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 873
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d70000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 874
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d60000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 875
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d50000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 876
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d40000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 877
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d30000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 878
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d20000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 879
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d10000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 880
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d00000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 881
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07cf0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 882
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ce0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 883
          },
          {
            "timestamp": "2026-04-16 20:00:11,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07cd0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 884
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c699f8",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "lstrlen"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad0440"
              }
            ],
            "repeated": 0,
            "id": 885
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c699f8",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "lstrlenW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ace0b0"
              }
            ],
            "repeated": 0,
            "id": 886
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x07c699f8",
            "parentcaller": "0x07c6041b",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "mscoree.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x74160000"
              }
            ],
            "repeated": 0,
            "id": 887
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x07c699f8",
            "parentcaller": "0x07c6041b",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x74160000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "mscoree.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 888
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x07c699f8",
            "parentcaller": "0x07c6041b",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              },
              {
                "name": "FunctionName",
                "value": "ND_RI4"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x74173b00"
              }
            ],
            "repeated": 0,
            "id": 889
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x07c699f8",
            "parentcaller": "0x07c6041b",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "ND_RI4_RetAddr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 890
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x07c699f8",
            "parentcaller": "0x07c6041b",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "ND_RI4"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e409b0"
              }
            ],
            "repeated": 0,
            "id": 891
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c64be5",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ee3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 892
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x07c6743d",
            "parentcaller": "0x07c60076",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              },
              {
                "name": "FunctionName",
                "value": "ND_RI8"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x74173bc0"
              }
            ],
            "repeated": 0,
            "id": 893
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x07c69aea",
            "parentcaller": "0x07c6743d",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "ND_RI8_RetAddr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 894
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x07c69aea",
            "parentcaller": "0x07c6743d",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "ND_RI8"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e409c0"
              }
            ],
            "repeated": 0,
            "id": 895
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c69b2b",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              },
              {
                "name": "FunctionName",
                "value": "ND_WI4"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x74173e30"
              }
            ],
            "repeated": 0,
            "id": 896
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x02f6a468",
            "parentcaller": "0x07c69b2b",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "ND_WI4_RetAddr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 897
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x02f6a468",
            "parentcaller": "0x07c69b2b",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "ND_WI4"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e40a00"
              }
            ],
            "repeated": 0,
            "id": 898
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x07c60bcf",
            "parentcaller": "0x07c60076",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              },
              {
                "name": "FunctionName",
                "value": "ND_WI8"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x74173f00"
              }
            ],
            "repeated": 0,
            "id": 899
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x07c69c48",
            "parentcaller": "0x07c60bcf",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "ND_WI8_RetAddr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 900
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x07c69c48",
            "parentcaller": "0x07c60bcf",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "ND_WI8"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e40a20"
              }
            ],
            "repeated": 0,
            "id": 901
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x07c69c88",
            "parentcaller": "0x07c65ba7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ole32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77060000"
              }
            ],
            "repeated": 0,
            "id": 902
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x07c69c88",
            "parentcaller": "0x07c65ba7",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x77060000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "ole32.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 903
          },
          {
            "timestamp": "2026-04-16 20:00:11,611",
            "thread_id": "4344",
            "caller": "0x07c69c88",
            "parentcaller": "0x07c65ba7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ole32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77060000"
              },
              {
                "name": "FunctionName",
                "value": "CoTaskMemAlloc"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77c57f90"
              }
            ],
            "repeated": 0,
            "id": 904
          },
          {
            "timestamp": "2026-04-16 20:00:11,627",
            "thread_id": "4344",
            "caller": "0x07c69db3",
            "parentcaller": "0x07c67059",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x06a92000"
              },
              {
                "name": "RegionSize",
                "value": "0x000a6000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 905
          },
          {
            "timestamp": "2026-04-16 20:00:11,627",
            "thread_id": "4344",
            "caller": "0x07c67960",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x06b38000"
              },
              {
                "name": "RegionSize",
                "value": "0x000b4000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 906
          },
          {
            "timestamp": "2026-04-16 20:00:11,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c62679",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "VirtualProtect"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad04c0"
              }
            ],
            "repeated": 0,
            "id": 907
          },
          {
            "timestamp": "2026-04-16 20:00:11,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f7a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 908
          },
          {
            "timestamp": "2026-04-16 20:00:11,705",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 909
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 910
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 911
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 912
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 913
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 914
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 915
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 916
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 917
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 918
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 919
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 920
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 921
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 922
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 923
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 924
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 925
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 926
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 927
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 928
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 929
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 930
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 931
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 932
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 933
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 934
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 935
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 936
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 937
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 938
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 939
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 940
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 941
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 942
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 943
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 944
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 945
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 946
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 947
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 948
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 949
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 950
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 951
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 952
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 953
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 954
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 955
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 956
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 957
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 958
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 959
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 960
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 961
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 962
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 963
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 964
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 965
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 966
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 967
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 968
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 969
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 970
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 971
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 972
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 973
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 974
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 975
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 976
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 977
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 978
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 979
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 980
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 981
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 982
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 983
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 984
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 985
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 986
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 987
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 988
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 989
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 990
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 991
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 992
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 993
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 994
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 995
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 996
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 997
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 998
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 999
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1000
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1001
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1002
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1003
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1004
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1005
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1006
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1007
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1008
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1009
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1010
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1011
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1012
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1013
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1014
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1015
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1016
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1017
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1018
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1019
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1020
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1021
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1022
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1023
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1024
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1025
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1026
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1027
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1028
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1029
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1030
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1031
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1032
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1033
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1034
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1035
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1036
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1037
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1038
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1039
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1040
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1041
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1042
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1043
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1044
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1045
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1046
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1047
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1048
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1049
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1050
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1051
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1052
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1053
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1054
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1055
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1056
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1057
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1058
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1059
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1060
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1061
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1062
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1063
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1064
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1065
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1066
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1067
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1068
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1069
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1070
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1071
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1072
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1073
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1074
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1075
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1076
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1077
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1078
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1079
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1080
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1081
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1082
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1083
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1084
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1085
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1086
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1087
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1088
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1089
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1090
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1091
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1092
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1093
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1094
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1095
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1096
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1097
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1098
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1099
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1100
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1101
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1102
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1103
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1104
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1105
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1106
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1107
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1108
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1109
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1110
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1111
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1112
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1113
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1114
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1115
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1116
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1117
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1118
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1119
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1120
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1121
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1122
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1123
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1124
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1125
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1126
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1127
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1128
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1129
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1130
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1131
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1132
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1133
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1134
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1135
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1136
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1137
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1138
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1139
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1140
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1141
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1142
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1143
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b12000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1144
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1145
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1146
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1147
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1148
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1149
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1150
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1151
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1152
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1153
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1154
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1155
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1156
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1157
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1158
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1159
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1160
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1161
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1162
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1163
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1164
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c62679",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1165
          },
          {
            "timestamp": "2026-04-16 20:00:11,721",
            "thread_id": "4344",
            "caller": "0x02f6a643",
            "parentcaller": "0x07c680ac",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00b14000"
              },
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1166
          },
          {
            "timestamp": "2026-04-16 20:00:11,736",
            "thread_id": "4344",
            "caller": "0x07c60076",
            "parentcaller": "0x00000000",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x06bec000"
              },
              {
                "name": "RegionSize",
                "value": "0x00023000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1167
          },
          {
            "timestamp": "2026-04-16 20:00:11,799",
            "thread_id": "4344",
            "caller": "0x07c69db3",
            "parentcaller": "0x07c653a0",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05a92000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1168
          },
          {
            "timestamp": "2026-04-16 20:00:11,799",
            "thread_id": "4344",
            "caller": "0x07c69db3",
            "parentcaller": "0x07c653a0",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05aa2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1169
          },
          {
            "timestamp": "2026-04-16 20:00:11,799",
            "thread_id": "4344",
            "caller": "0x07c69db3",
            "parentcaller": "0x07c653a0",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05ab2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1170
          },
          {
            "timestamp": "2026-04-16 20:00:11,799",
            "thread_id": "4344",
            "caller": "0x07c69db3",
            "parentcaller": "0x07c653a0",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05ac2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1171
          },
          {
            "timestamp": "2026-04-16 20:00:11,799",
            "thread_id": "4344",
            "caller": "0x07c69db3",
            "parentcaller": "0x07c653a0",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05ad2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1172
          },
          {
            "timestamp": "2026-04-16 20:00:11,799",
            "thread_id": "4344",
            "caller": "0x07c69db3",
            "parentcaller": "0x07c653a0",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05ae2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1173
          },
          {
            "timestamp": "2026-04-16 20:00:11,799",
            "thread_id": "4344",
            "caller": "0x07c69db3",
            "parentcaller": "0x07c653a0",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05af2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1174
          },
          {
            "timestamp": "2026-04-16 20:00:11,799",
            "thread_id": "4344",
            "caller": "0x07c69db3",
            "parentcaller": "0x07c653a0",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05b02000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1175
          },
          {
            "timestamp": "2026-04-16 20:00:11,799",
            "thread_id": "4344",
            "caller": "0x07c67ceb",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05b12000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1176
          },
          {
            "timestamp": "2026-04-16 20:00:11,799",
            "thread_id": "4344",
            "caller": "0x07c69db3",
            "parentcaller": "0x07c653a0",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05b22000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1177
          },
          {
            "timestamp": "2026-04-16 20:00:11,799",
            "thread_id": "4344",
            "caller": "0x07c67ceb",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05b32000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1178
          },
          {
            "timestamp": "2026-04-16 20:00:11,814",
            "thread_id": "4344",
            "caller": "0x07c67ceb",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05b42000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1179
          },
          {
            "timestamp": "2026-04-16 20:00:11,814",
            "thread_id": "4344",
            "caller": "0x07c69db3",
            "parentcaller": "0x07c653a0",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05b52000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1180
          },
          {
            "timestamp": "2026-04-16 20:00:11,814",
            "thread_id": "4344",
            "caller": "0x07c69db3",
            "parentcaller": "0x07c653a0",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05b62000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1181
          },
          {
            "timestamp": "2026-04-16 20:00:11,814",
            "thread_id": "4344",
            "caller": "0x07c69db3",
            "parentcaller": "0x07c653a0",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05b72000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1182
          },
          {
            "timestamp": "2026-04-16 20:00:11,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c67b24",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "kernel32"
              },
              {
                "name": "BaseAddress",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 1183
          },
          {
            "timestamp": "2026-04-16 20:00:11,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c67b24",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x76ab0000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "kernel32"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1184
          },
          {
            "timestamp": "2026-04-16 20:00:11,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c67b24",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "LoadLibrary"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1185
          },
          {
            "timestamp": "2026-04-16 20:00:11,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c67b24",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "LoadLibraryA"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad0bd0"
              }
            ],
            "repeated": 0,
            "id": 1186
          },
          {
            "timestamp": "2026-04-16 20:00:11,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6417e",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07c6a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1187
          },
          {
            "timestamp": "2026-04-16 20:00:11,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c61255",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetProcAddress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76acf550"
              }
            ],
            "repeated": 0,
            "id": 1188
          },
          {
            "timestamp": "2026-04-16 20:00:11,814",
            "thread_id": "4344",
            "caller": "0x02f6a7f4",
            "parentcaller": "0x07c61255",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscorjit.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x72b80000"
              },
              {
                "name": "FunctionName",
                "value": "getJit"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x72bc93fe"
              }
            ],
            "repeated": 0,
            "id": 1189
          },
          {
            "timestamp": "2026-04-16 20:00:12,064",
            "thread_id": "4344",
            "caller": "0x07c6a029",
            "parentcaller": "0x07c64501",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 1190
          },
          {
            "timestamp": "2026-04-16 20:00:12,846",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1d8",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CloseHandle"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad2ee0"
              }
            ],
            "repeated": 0,
            "id": 1191
          },
          {
            "timestamp": "2026-04-16 20:00:13,049",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1d8",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetCurrentProcessId"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad2e90"
              }
            ],
            "repeated": 0,
            "id": 1192
          },
          {
            "timestamp": "2026-04-16 20:00:13,049",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1d8",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetCurrentProcessIdW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1193
          },
          {
            "timestamp": "2026-04-16 20:00:13,393",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "advapi32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x76ea0000"
              }
            ],
            "repeated": 0,
            "id": 1194
          },
          {
            "timestamp": "2026-04-16 20:00:13,393",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x76ea0000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "advapi32.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1195
          },
          {
            "timestamp": "2026-04-16 20:00:13,393",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "LookupPrivilegeValue"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1196
          },
          {
            "timestamp": "2026-04-16 20:00:13,393",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "LookupPrivilegeValueW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76eba000"
              }
            ],
            "repeated": 0,
            "id": 1197
          },
          {
            "timestamp": "2026-04-16 20:00:13,408",
            "thread_id": "4344",
            "caller": "0x02f6a9e8",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LookupPrivilegeValueW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "SystemName",
                "value": ""
              },
              {
                "name": "PrivilegeName",
                "value": "SeDebugPrivilege"
              }
            ],
            "repeated": 0,
            "id": 1198
          },
          {
            "timestamp": "2026-04-16 20:00:13,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetCurrentProcess"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad2e80"
              }
            ],
            "repeated": 0,
            "id": 1199
          },
          {
            "timestamp": "2026-04-16 20:00:13,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "OpenProcessToken"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebea30"
              }
            ],
            "repeated": 0,
            "id": 1200
          },
          {
            "timestamp": "2026-04-16 20:00:13,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "OpenProcessTokenW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1201
          },
          {
            "timestamp": "2026-04-16 20:00:13,408",
            "thread_id": "4344",
            "caller": "0x02f6ab3c",
            "parentcaller": "0x02f62420",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000020"
              },
              {
                "name": "TokenHandle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 1202
          },
          {
            "timestamp": "2026-04-16 20:00:13,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "AdjustTokenPrivileges"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebfe40"
              }
            ],
            "repeated": 0,
            "id": 1203
          },
          {
            "timestamp": "2026-04-16 20:00:13,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "AdjustTokenPrivilegesW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1204
          },
          {
            "timestamp": "2026-04-16 20:00:13,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CloseHandle"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad2ee0"
              }
            ],
            "repeated": 0,
            "id": 1205
          },
          {
            "timestamp": "2026-04-16 20:00:13,408",
            "thread_id": "4344",
            "caller": "0x02f6acbe",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 1206
          },
          {
            "timestamp": "2026-04-16 20:00:13,408",
            "thread_id": "4344",
            "caller": "0x02f623e7",
            "parentcaller": "0x07c6a1fa",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CloseHandle"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad2ee0"
              }
            ],
            "repeated": 0,
            "id": 1207
          },
          {
            "timestamp": "2026-04-16 20:00:13,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1fa",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "OpenProcess"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad0630"
              }
            ],
            "repeated": 0,
            "id": 1208
          },
          {
            "timestamp": "2026-04-16 20:00:13,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1fa",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "OpenProcessW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1209
          },
          {
            "timestamp": "2026-04-16 20:00:13,408",
            "thread_id": "4344",
            "caller": "0x02f6ad9b",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtOpenProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000410",
                "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION"
              },
              {
                "name": "ProcessIdentifier",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1210
          },
          {
            "timestamp": "2026-04-16 20:00:13,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1fa",
            "category": "system",
            "api": "LdrLoadDll",
            "status": false,
            "return": "0xffffffffc0000135",
            "pretty_return": "DLL_NOT_FOUND",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\psapi.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1211
          },
          {
            "timestamp": "2026-04-16 20:00:13,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1fa",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\psapi.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 1212
          },
          {
            "timestamp": "2026-04-16 20:00:13,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1fa",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\System32\\psapi"
              },
              {
                "name": "DllBase",
                "value": "0x76a70000"
              }
            ],
            "repeated": 0,
            "id": 1213
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1fa",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "psapi.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x76a70000"
              }
            ],
            "repeated": 0,
            "id": 1214
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1fa",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x76a70000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "psapi.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1215
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1fa",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "psapi.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a70000"
              },
              {
                "name": "FunctionName",
                "value": "EnumProcessModules"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a713a0"
              }
            ],
            "repeated": 0,
            "id": 1216
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1fa",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "psapi.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a70000"
              },
              {
                "name": "FunctionName",
                "value": "EnumProcessModulesW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1217
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1218
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1219
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1220
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1221
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1222
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1223
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1224
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1225
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1226
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1227
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1228
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af650"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " \\xf9*\\x01\\xb0\\xf1*\\x01(\\xf9*\\x01\\xb8\\xf1*\\x01\\xc0\\xf1*\\x01`\\xed*\\x01\\x00\\x00\\x90v0\\xbf\\x93v\\x00\\xe0\\x0b\\x00<\\x00>\\x008\\xf7*\\x01\\x14\\x00\\x16\\x00`\\xf7*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x98[\\xf6w\\x8c\\xed*\\x01\\xb6\\xa0\\xb4\\x11"
              }
            ],
            "repeated": 0,
            "id": 1229
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af920"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "8\\x02+\\x01P\\xf6*\\x01@\\x02+\\x01X\\xf6*\\x01\\x98\\x01+\\x01\\xe8\\x00+\\x01\\x00\\x00\\xd1u\\x90\\xc9\\xd4u\\x00\\xb0\\x19\\x00<\\x00>\\x00H\\xfc*\\x01\\x14\\x00\\x16\\x00p\\xfc*\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\x80[\\xf6w\\x80[\\xf6w-\\xec\\xfb?"
              }
            ],
            "repeated": 0,
            "id": 1230
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8\\x00+\\x01 \\xf9*\\x01\\xe0\\x00+\\x01(\\xf9*\\x01\\xd8\\xfe*\\x01\\xc0\\xf1*\\x01\\x00\\x00Lw\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00<\\x00>\\x00x\r+\\x01\\x14\\x00\\x16\\x00\\xa0\r+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14\\x0c+\\x01\\x00\\\\xf6wh\\x97\\xcfU"
              }
            ],
            "repeated": 0,
            "id": 1231
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b00d8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8\\x0b+\\x018\\x02+\\x01\\xe0\\x0b+\\x01@\\x02+\\x010\\xf9*\\x01\\xe8\\x0b+\\x01\\x00\\x00\\xa8vps\\xa8v\\x000\\x02\\x00:\\x00<\\x00\\x98\\x0e+\\x01\\x12\\x00\\x14\\x00\\xc0\\x0e+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\x88[\\xf6w\\x88[\\xf6w\\xd1\t\\xb0*"
              }
            ],
            "repeated": 0,
            "id": 1232
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0bd8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xc8\\xfe*\\x01\\xd8\\x00+\\x01\\xd0\\xfe*\\x01\\xe0\\x00+\\x01\\xe8\\x00+\\x01\\xd8\\xfe*\\x01\\x00\\x00\\x82v@\\x02\\x88v\\x00\\xd0\r\\x00B\\x00D\\x00\\x18\\x14+\\x01\\x1a\\x00\\x1c\\x00@\\x14+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\x04\\xff*\\x01t\\x02+\\x01\\xd4\r\\x89+"
              }
            ],
            "repeated": 0,
            "id": 1233
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012afec8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xe8\\x02+\\x01\\xd8\\x0b+\\x01\\xf0\\x02+\\x01\\xe0\\x0b+\\x01\\xe8\\x0b+\\x01H\\x02+\\x01\\x00\\x00\\v\\x00x]v\\x00\\xb0\\x07\\x00B\\x00D\\x00\\xb8\\x17+\\x01\\x1a\\x00\\x1c\\x00\\xe0\\x17+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00D\\x07+\\x01\\x14\\x0c+\\x01RDR\\xfd"
              }
            ],
            "repeated": 0,
            "id": 1234
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b02e8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x98\\x03+\\x01\\xc8\\xfe*\\x01\\xa0\\x03+\\x01\\xd0\\xfe*\\x01\\x88\\xff*\\x01(\\xfe*\\x01\\x00\\x00\\xeav\\x10\"\\xebv\\x00\\xb0\\x07\\x00@\\x00B\\x00\\x08\\x19+\\x01\\x18\\x00\\x1a\\x000\\x19+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x04@-\\x01`\\\\xf6wL\\x9dxd"
              }
            ],
            "repeated": 0,
            "id": 1235
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0398"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x18\\xfe*\\x01\\xe8\\x02+\\x01 \\xfe*\\x01\\xf0\\x02+\\x01(\\xfe*\\x01\\x98\\x01+\\x01\\x00\\x00\\xdev\\xc0Z\\xe1v\\x00\\xf0\\x0b\\x00<\\x00>\\x00x\\x1a+\\x01\\x14\\x00\\x16\\x00\\xa0\\x1a+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x84E-\\x01\\xd8[\\xf6wPzV\\x7f"
              }
            ],
            "repeated": 0,
            "id": 1236
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012afe18"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "H\\x04+\\x01\\x98\\x03+\\x01P\\x04+\\x01\\xa0\\x03+\\x01\\xf8\\x02+\\x01\\xa8\\x03+\\x01\\x00\\x007w \r9w\\x00`\\x07\\x00>\\x00@\\x00X%+\\x01\\x16\\x00\\x18\\x00\\x80%+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\xf8[\\xf6w\\xf8[\\xf6wH\\xf4\\xe6L"
              }
            ],
            "repeated": 0,
            "id": 1237
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0448"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "x\\xff*\\x01\\x18\\xfe*\\x01\\x80\\xff*\\x01 \\xfe*\\x01h\\x06+\\x01\\x88\\xff*\\x01\\x00\\x00\\x06w\\xf0\\xc8\\x08w\\x000\\x0e\\x00:\\x00<\\x00P'+\\x01\\x12\\x00\\x14\\x00x'+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\xf4\\x07+\\x01h\\\\xf6w/\\xad(S"
              }
            ],
            "repeated": 0,
            "id": 1238
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aff78"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "X\\x06+\\x01H\\x04+\\x01`\\x06+\\x01P\\x04+\\x01X\\x04+\\x01\\xf8\\x02+\\x01\\x00\\x00\\xb5w\\xe0\\xba\\xc8w\\x00\\x00(\\x00>\\x00@\\x00\\x98'+\\x01\\x16\\x00\\x18\\x00\\xc0'+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\xc0[\\xf6w\\xc0[\\xf6w\\xdbc}("
              }
            ],
            "repeated": 0,
            "id": 1239
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0658"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x08\\x07+\\x01x\\xff*\\x01\\x10\\x07+\\x01\\x80\\xff*\\x01\\x18\\x07+\\x01X\\x04+\\x01\\x00\\x00\\x06v\\xd0\\\tv\\x00`\t\\x00@\\x00B\\x00\\xa0/+\\x01\\x18\\x00\\x1a\\x00\\xc8/+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\xa4\\xfd*\\x01\\xe8[\\xf6w[\r\\x8f\\xfc"
              }
            ],
            "repeated": 0,
            "id": 1240
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0708"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "(\\x00+\\x01X\\x06+\\x010\\x00+\\x01`\\x06+\\x018\\x00+\\x01h\\x06+\\x01\\x00\\x00\\xf2v\\x90x\\xf3v\\x00P\\x04\\x00>\\x00@\\x00\\xa8#+\\x01\\x16\\x00\\x18\\x00\\xd0#+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\xe4;-\\x01\\x04\\xff*\\x01?\\xc0\\xc7:"
              }
            ],
            "repeated": 0,
            "id": 1241
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0028"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88\\x01+\\x01\\x08\\x07+\\x01\\x90\\x01+\\x01\\x10\\x07+\\x01\\xc8\\xfc*\\x01\\x18\\x07+\\x01\\x00\\x00\\x16v\\xe0\\x93\\x16v\\x00\\x90\\x01\\x00<\\x00>\\x00x&+\\x01\\x14\\x00\\x16\\x00\\xa0&+\\x01\\xcc\\xaa\\x0c\\x80\\xff\\xff\\x00\\x00\\x90[\\xf6w\\x90[\\xf6w\\xd4;0\\x90"
              }
            ],
            "repeated": 0,
            "id": 1242
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0188"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb8\\xfc*\\x01(\\x00+\\x01\\xc0\\xfc*\\x010\\x00+\\x01\\xa8\\x03+\\x010\\xf9*\\x01\\x00\\x00Nw\\x10DNw\\x00P\\x02\\x00:\\x00<\\x00\\x08'+\\x01\\x12\\x00\\x14\\x000'+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00p\\\\xf6w\\xec\\xf1*\\x01Ej\\x049"
              }
            ],
            "repeated": 0,
            "id": 1243
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012afcb8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb8\\x07+\\x01\\x88\\x01+\\x01\\xc0\\x07+\\x01\\x90\\x01+\\x01\\xc8\\x07+\\x018\\x00+\\x01\\x00\\x00\nu`*\nu\\x00\\xa0\\x00\\x00B\\x00D\\x00\\xf0\\x15,\\x01\\x1a\\x00\\x1c\\x00\\x18\\x16,\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xb4\n+\\x01(\\\\xf6w\\xec\\x82\\x8d\\xc7"
              }
            ],
            "repeated": 0,
            "id": 1244
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b07b8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xa8\\x05+\\x01\\xb8\\xfc*\\x01\\xb0\\x05+\\x01\\xc0\\xfc*\\x01\\xb8\\x05+\\x01\\xc8\\xfc*\\x01\\x00\\x00\\x15u\\xd0\\xca\\x15u\\x00\\x10\\x02\\x00>\\x00@\\x00@++\\x01\\x16\\x00\\x18\\x00h++\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00h\\\\xf6w\\x84\\x04+\\x01\\xb5kb\\x98"
              }
            ],
            "repeated": 0,
            "id": 1245
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b05a8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x18\t+\\x01\\xb8\\x07+\\x01 \t+\\x01\\xc0\\x07+\\x01(\t+\\x01\\xc8\\x07+\\x01\\x00\\x00\\xe1sp(\\xe2s\\x00\\xd0\\x08\\x00t\\x00v\\x00\\x80\\xf7*\\x01\\x18\\x00\\x1a\\x00\\xdc\\xf7*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00x\\\\xf6wx\\\\xf6w\\xf2\\x1d}^"
              }
            ],
            "repeated": 0,
            "id": 1246
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0918"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xc8\t+\\x01\\xa8\\x05+\\x01\\xd0\t+\\x01\\xb0\\x05+\\x01\\xd8\t+\\x01\\xb8\\x05+\\x01\\x00\\x00%u\\xe0G%u\\x00\\xf0\\x00\\x00L\\x00N\\x00X\\x03,\\x01$\\x00&\\x00\\x80\\x03,\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00T?-\\x01\\xa8[\\xf6wU\\xebI="
              }
            ],
            "repeated": 0,
            "id": 1247
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b09c8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "x\n+\\x01\\x18\t+\\x01\\x80\n+\\x01 \t+\\x01x\\xfd*\\x01(\t+\\x01\\x00\\x00Fu\\x00\\x18Fu\\x00\\x80\\x00\\x00>\\x00@\\x00P#,\\x01\\x16\\x00\\x18\\x00x#,\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00$D-\\x01\\xf0[\\xf6w\\xa6P\\x89\\xa8"
              }
            ],
            "repeated": 0,
            "id": 1248
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0a78"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "h\\xfd*\\x01\\xc8\t+\\x01p\\xfd*\\x01\\xd0\t+\\x01(?-\\x01x\\xfd*\\x01\\x00\\x00~s\\x10\\xfc\\x8fs\\x00\\x10b\\x00t\\x00v\\x00(\\x17+\\x01\\x18\\x00\\x1a\\x00\\x84\\x17+\\x01\\xcc*\\x08\\x80\\x06\\x00\\x00\\x00(\\\\xf6w\\xf4\\xfc*\\x01\\x8aaGb"
              }
            ],
            "repeated": 0,
            "id": 1249
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012afd68"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x18?-\\x01x\n+\\x01 ?-\\x01\\x80\n+\\x01\\x88\n+\\x01\\xd8\t+\\x01\\x00\\x00ns+#ns\\x00\\xb0\t\\x00\\xd4\\x00\\xd6\\x00`\\x0c,\\x01\\x16\\x00\\x18\\x00\\x1e\r,\\x01\\xcc*\\x08\\x90\\x06\\x00\\x00\\x00\\x94G-\\x01\\x94\\x06+\\x01\\xb8\\xb1\\xb2]"
              }
            ],
            "repeated": 0,
            "id": 1250
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012d3f18"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb8=-\\x01h\\xfd*\\x01\\xc0=-\\x01p\\xfd*\\x01\\xe8A-\\x01\\x88\n+\\x01\\x00\\x00Yw\\x80\\xbfpw\\x00P[\\x00>\\x00@\\x00\\x90%,\\x01\\x16\\x00\\x18\\x00\\xb8%,\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\xa8[\\xf6wT\t+\\x01W\\xa3_3"
              }
            ],
            "repeated": 0,
            "id": 1251
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012d3db8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8A-\\x01\\x18?-\\x01\\xe0A-\\x01 ?-\\x01\\x88@-\\x01\\xe8A-\\x01\\x00\\x00pu \\xb9\\x8du\\x00\\xd0`\\x00N\\x00P\\x00\\xd0\\xca-\\x01&\\x00(\\x00\\xf8\\xca-\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\xb0[\\xf6w\\xb0[\\xf6w\\x1a\\xa5Dl"
              }
            ],
            "repeated": 0,
            "id": 1252
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012d41d8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "x@-\\x01\\xb8=-\\x01\\x80@-\\x01\\xc0=-\\x01\\xc8=-\\x01(?-\\x01\\x00\\x00mu\\xd0\\x8bmu\\x00p\\x02\\x008\\x00:\\x00\\x10!,\\x01\\x10\\x00\\x12\\x008!,\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xd4O-\\x01\\x9c\\xef*\\x01\\xfaOW\\xc0"
              }
            ],
            "repeated": 0,
            "id": 1253
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012d4078"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x98O-\\x01\\xd8A-\\x01\\xa0O-\\x01\\xe0A-\\x01\\xa8O-\\x01\\xc8=-\\x01\\x00\\x00\\xf7v\\x80$\\xfbv\\x00p\\x08\\x00<\\x00>\\x00(\\x1b,\\x01\\x14\\x00\\x16\\x00P\\x1b,\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\xd0[\\xf6w\\xd0[\\xf6w\\x96\\x11\\xa0S"
              }
            ],
            "repeated": 0,
            "id": 1254
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012d4f98"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "h>-\\x01x@-\\x01p>-\\x01\\x80@-\\x01x>-\\x01\\x88@-\\x01\\x00\\x00&uP\\xa2&u\\x00\\x80\\x01\\x00>\\x00@\\x00\\xc0\\x19,\\x01\\x16\\x00\\x18\\x00\\xe8\\x19,\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x008\\\\xf6w\\x14B-\\x01\\xa7= \\x1c"
              }
            ],
            "repeated": 0,
            "id": 1255
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012d3e68"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xe8C-\\x01\\x98O-\\x01\\xf0C-\\x01\\xa0O-\\x01\\xf8C-\\x01\\xa8O-\\x01\\x00\\x00\\xber\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\xd0\\x00\\xd2\\x00\\x10\\xee.\\x01\\x1e\\x00 \\x00\\xc2\\xee.\\x01\\xcc*H\\x80\\x06\\x00\\x00\\x00P\\\\xf6wP\\\\xf6wVbGb"
              }
            ],
            "repeated": 0,
            "id": 1256
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012d43e8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xc8?-\\x01h>-\\x01\\xd0?-\\x01p>-\\x01\\xd8?-\\x01x>-\\x01\\x00\\x00\\xd8v\\xc06\\xdbv\\x00\\xf0\\x05\\x00P\\x00R\\x00\\xa8\\x0b/\\x01(\\x00*\\x00\\xd0\\x0b/\\x01\\xcc\\xaa\\x0c\\x80\\xff\\xff\\x00\\x00\\xf0[\\xf6w\\x04\n+\\x01\\xf6\\x13\\xd6\\x9d"
              }
            ],
            "repeated": 0,
            "id": 1257
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012d3fc8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "HE-\\x01\\xe8C-\\x01PE-\\x01\\xf0C-\\x01XE-\\x01\\xf8C-\\x01\\x00\\x00]t`t`t\\x00@\\x07\\x00>\\x00@\\x00\\x00\\x1c,\\x01\\x16\\x00\\x18\\x00(\\x1c,\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00`\\\\xf6w$\\x03+\\x01\\xb8\\xc6L\\xd2"
              }
            ],
            "repeated": 0,
            "id": 1258
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012d4548"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xa8;-\\x01\\xc8?-\\x01\\xb0;-\\x01\\xd0?-\\x01\\xb8;-\\x01\\xd8?-\\x01\\x00\\x00\\xb8r\\x10\\x90\\xbcr\\x00\\xb0\\x05\\x00t\\x00v\\x00\\xd0v/\\x01\\x18\\x00\\x1a\\x00,w/\\x01\\xcc*\\x0c\\x80\\x06\\x00\\x00\\x00\\xd8[\\xf6w\\xd4\\x03+\\x01\\xfa\\xb6\\xb2]"
              }
            ],
            "repeated": 0,
            "id": 1259
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012d3ba8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XG-\\x01HE-\\x01`G-\\x01PE-\\x01hG-\\x01XE-\\x01\\x00\\x00=r\\x00\\x00\\x00\\x00\\x00\\x80z\\x00\\xc8\\x00\\xca\\x00\\x10\\x08.\\x01\\x1a\\x00\\x1c\\x00\\xbe\\x08.\\x01\\xcc*H\\x80\\x06\\x00\\x00\\x00\\x00\\\\xf6wD\\x07+\\x01\\xfc\\xb9\\xb2]"
              }
            ],
            "repeated": 0,
            "id": 1260
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6ae8c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012d4758"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x8c]\\xf6w\\xa8;-\\x01\\x94]\\xf6w\\xb0;-\\x01\\x9c]\\xf6w\\xb8;-\\x01\\x00\\x00\\xa7v\\xd0\\x14\\xa7v\\x00`\\x00\\x00:\\x00<\\x00\\x80 ,\\x01\\x12\\x00\\x14\\x00\\xa8 ,\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\xe8[\\xf6w\\xa4\\xfd*\\x01\\xcb\\xc2\\xc4\\xfa"
              }
            ],
            "repeated": 0,
            "id": 1261
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1fa",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "psapi.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a70000"
              },
              {
                "name": "FunctionName",
                "value": "GetModuleInformation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a71440"
              }
            ],
            "repeated": 0,
            "id": 1262
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1fa",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "psapi.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a70000"
              },
              {
                "name": "FunctionName",
                "value": "GetModuleInformationW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1263
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1264
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1265
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1266
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1fa",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "psapi.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a70000"
              },
              {
                "name": "FunctionName",
                "value": "GetModuleBaseName"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1267
          },
          {
            "timestamp": "2026-04-16 20:00:13,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1fa",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "psapi.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a70000"
              },
              {
                "name": "FunctionName",
                "value": "GetModuleBaseNameW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a71400"
              }
            ],
            "repeated": 0,
            "id": 1268
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f6b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1269
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1270
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1271
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1272
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a1dca"
              },
              {
                "name": "Size",
                "value": "0x0000001a"
              },
              {
                "name": "Buffer",
                "value": "N\\x00a\\x00n\\x00o\\x00C\\x00o\\x00r\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1273
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1fa",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "psapi.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a70000"
              },
              {
                "name": "FunctionName",
                "value": "GetModuleFileNameEx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1274
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a1fa",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "psapi.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a70000"
              },
              {
                "name": "FunctionName",
                "value": "GetModuleFileNameExW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a71420"
              }
            ],
            "repeated": 0,
            "id": 1275
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1276
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1277
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1278
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a1d88"
              },
              {
                "name": "Size",
                "value": "0x0000005c"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00c\\x00a\\x00p\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00N\\x00a\\x00n\\x00o\\x00C\\x00o\\x00r\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1279
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1280
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1281
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1282
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1283
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1284
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1285
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1286
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1287
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e48418"
              },
              {
                "name": "Size",
                "value": "0x00000014"
              },
              {
                "name": "Buffer",
                "value": "n\\x00t\\x00d\\x00l\\x00l\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1288
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1289
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1290
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1291
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1292
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2c98"
              },
              {
                "name": "Size",
                "value": "0x0000003c"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00Y\\x00S\\x00T\\x00E\\x00M\\x003\\x002\\x00\\\\x00n\\x00t\\x00d\\x00l\\x00l\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1293
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1294
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1295
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1296
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1297
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1298
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1299
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1300
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1301
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1302
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1303
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3348"
              },
              {
                "name": "Size",
                "value": "0x00000018"
              },
              {
                "name": "Buffer",
                "value": "M\\x00S\\x00C\\x00O\\x00R\\x00E\\x00E\\x00.\\x00D\\x00L\\x00L\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1304
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1305
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1306
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1307
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1308
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1309
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3320"
              },
              {
                "name": "Size",
                "value": "0x00000040"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00Y\\x00S\\x00T\\x00E\\x00M\\x003\\x002\\x00\\\\x00M\\x00S\\x00C\\x00O\\x00R\\x00E\\x00E\\x00.\\x00D\\x00L\\x00L\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1310
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1311
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1312
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1313
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1314
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1315
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1316
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1317
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1318
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1319
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1320
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1321
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1322
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3530"
              },
              {
                "name": "Size",
                "value": "0x0000001a"
              },
              {
                "name": "Buffer",
                "value": "K\\x00E\\x00R\\x00N\\x00E\\x00L\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1323
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1324
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1325
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1326
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1327
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1328
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1329
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3508"
              },
              {
                "name": "Size",
                "value": "0x00000042"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00K\\x00E\\x00R\\x00N\\x00E\\x00L\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1330
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1331
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1332
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1333
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1334
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1335
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1336
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1337
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1338
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1339
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1340
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1341
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1342
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1343
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1344
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a38a0"
              },
              {
                "name": "Size",
                "value": "0x0000001e"
              },
              {
                "name": "Buffer",
                "value": "K\\x00E\\x00R\\x00N\\x00E\\x00L\\x00B\\x00A\\x00S\\x00E\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1345
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1346
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1347
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1348
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1349
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1350
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1351
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1352
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3878"
              },
              {
                "name": "Size",
                "value": "0x00000046"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00K\\x00E\\x00R\\x00N\\x00E\\x00L\\x00B\\x00A\\x00S\\x00E\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1353
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1354
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1355
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1356
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1357
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1358
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1359
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1360
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1361
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1362
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1363
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1364
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1365
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1366
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1367
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1368
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1369
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4468"
              },
              {
                "name": "Size",
                "value": "0x00000018"
              },
              {
                "name": "Buffer",
                "value": "a\\x00p\\x00p\\x00h\\x00e\\x00l\\x00p\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1370
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1371
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1372
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1373
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1374
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1375
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1376
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1377
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1378
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4440"
              },
              {
                "name": "Size",
                "value": "0x00000040"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00Y\\x00S\\x00T\\x00E\\x00M\\x003\\x002\\x00\\\\x00a\\x00p\\x00p\\x00h\\x00e\\x00l\\x00p\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1379
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1380
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1381
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1382
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1383
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1384
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1385
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1386
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1387
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1388
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1389
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1390
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1391
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1392
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1393
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1394
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1395
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1396
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1397
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012ae6d8"
              },
              {
                "name": "Size",
                "value": "0x00000018"
              },
              {
                "name": "Buffer",
                "value": "C\\x00R\\x00Y\\x00P\\x00T\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1398
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1399
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1400
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1401
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1402
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1403
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1404
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1405
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1406
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1407
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012ae6b0"
              },
              {
                "name": "Size",
                "value": "0x00000040"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00C\\x00R\\x00Y\\x00P\\x00T\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1408
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1409
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1410
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1411
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1412
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1413
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1414
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1415
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1416
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1417
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1418
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1419
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1420
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1421
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1422
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1423
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1424
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1425
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1426
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1427
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1428
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af070"
              },
              {
                "name": "Size",
                "value": "0x0000001a"
              },
              {
                "name": "Buffer",
                "value": "u\\x00c\\x00r\\x00t\\x00b\\x00a\\x00s\\x00e\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1429
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1430
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1431
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1432
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1433
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1434
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1435
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1436
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1437
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1438
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1439
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af048"
              },
              {
                "name": "Size",
                "value": "0x00000042"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00u\\x00c\\x00r\\x00t\\x00b\\x00a\\x00s\\x00e\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1440
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1441
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1442
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1443
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1444
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1445
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1446
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1447
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1448
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1449
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1450
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1451
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1452
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1453
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1454
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1455
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1456
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1457
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1458
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1459
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1460
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1461
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1462
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af2c0"
              },
              {
                "name": "Size",
                "value": "0x00000016"
              },
              {
                "name": "Buffer",
                "value": "W\\x00S\\x002\\x00_\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1463
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1464
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1465
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1466
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1467
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1468
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1469
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1470
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1471
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1472
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1473
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1474
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af298"
              },
              {
                "name": "Size",
                "value": "0x0000003e"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00W\\x00S\\x002\\x00_\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1475
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1476
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1477
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1478
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1479
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1480
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1481
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1482
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1483
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1484
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1485
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1486
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af650"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " \\xf9*\\x01\\xb0\\xf1*\\x01(\\xf9*\\x01\\xb8\\xf1*\\x01\\xc0\\xf1*\\x01`\\xed*\\x01\\x00\\x00\\x90v0\\xbf\\x93v\\x00\\xe0\\x0b\\x00<\\x00>\\x008\\xf7*\\x01\\x14\\x00\\x16\\x00`\\xf7*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x98[\\xf6w\\x8c\\xed*\\x01\\xb6\\xa0\\xb4\\x11"
              }
            ],
            "repeated": 0,
            "id": 1487
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x07c6a1fa",
            "parentcaller": "0x07c6310a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05b82000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1488
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1489
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1490
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1491
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1492
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1493
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1494
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1495
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1496
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1497
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1498
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1499
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af650"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " \\xf9*\\x01\\xb0\\xf1*\\x01(\\xf9*\\x01\\xb8\\xf1*\\x01\\xc0\\xf1*\\x01`\\xed*\\x01\\x00\\x00\\x90v0\\xbf\\x93v\\x00\\xe0\\x0b\\x00<\\x00>\\x008\\xf7*\\x01\\x14\\x00\\x16\\x00`\\xf7*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x98[\\xf6w\\x8c\\xed*\\x01\\xb6\\xa0\\xb4\\x11"
              }
            ],
            "repeated": 0,
            "id": 1500
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af760"
              },
              {
                "name": "Size",
                "value": "0x00000016"
              },
              {
                "name": "Buffer",
                "value": "R\\x00P\\x00C\\x00R\\x00T\\x004\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1501
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1502
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1503
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1504
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1505
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1506
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1507
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1508
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1509
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1510
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1511
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1512
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af650"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " \\xf9*\\x01\\xb0\\xf1*\\x01(\\xf9*\\x01\\xb8\\xf1*\\x01\\xc0\\xf1*\\x01`\\xed*\\x01\\x00\\x00\\x90v0\\xbf\\x93v\\x00\\xe0\\x0b\\x00<\\x00>\\x008\\xf7*\\x01\\x14\\x00\\x16\\x00`\\xf7*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x98[\\xf6w\\x8c\\xed*\\x01\\xb6\\xa0\\xb4\\x11"
              }
            ],
            "repeated": 0,
            "id": 1513
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af738"
              },
              {
                "name": "Size",
                "value": "0x0000003e"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00R\\x00P\\x00C\\x00R\\x00T\\x004\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1514
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1515
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1516
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1517
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1518
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x000\\\\xf6w0\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1519
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1520
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00\\xa0[\\xf6w\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1521
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1522
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1523
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1524
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1525
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af650"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " \\xf9*\\x01\\xb0\\xf1*\\x01(\\xf9*\\x01\\xb8\\xf1*\\x01\\xc0\\xf1*\\x01`\\xed*\\x01\\x00\\x00\\x90v0\\xbf\\x93v\\x00\\xe0\\x0b\\x00<\\x00>\\x008\\xf7*\\x01\\x14\\x00\\x16\\x00`\\xf7*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x98[\\xf6w\\x8c\\xed*\\x01\\xb6\\xa0\\xb4\\x11"
              }
            ],
            "repeated": 0,
            "id": 1526
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6af7c",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af920"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "8\\x02+\\x01P\\xf6*\\x01@\\x02+\\x01X\\xf6*\\x01\\x98\\x01+\\x01\\xe8\\x00+\\x01\\x00\\x00\\xd1u\\x90\\xc9\\xd4u\\x00\\xb0\\x19\\x00<\\x00>\\x00H\\xfc*\\x01\\x14\\x00\\x16\\x00p\\xfc*\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\x80[\\xf6w\\x80[\\xf6w-\\xec\\xfb?"
              }
            ],
            "repeated": 0,
            "id": 1527
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1528
          },
          {
            "timestamp": "2026-04-16 20:00:13,439",
            "thread_id": "4344",
            "caller": "0x02f6b088",
            "parentcaller": "0x07c6a1fa",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000003cc"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1529
          },
          {
            "timestamp": "2026-04-16 20:00:13,471",
            "thread_id": "4344",
            "caller": "0x07c6a1fa",
            "parentcaller": "0x07c6310a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05b92000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1530
          },
          {
            "timestamp": "2026-04-16 20:00:13,486",
            "thread_id": "4344",
            "caller": "0x07c6a1fa",
            "parentcaller": "0x07c6310a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05ba2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1531
          },
          {
            "timestamp": "2026-04-16 20:00:13,486",
            "thread_id": "4344",
            "caller": "0x02f6a896",
            "parentcaller": "0x07c6a1fa",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 1532
          },
          {
            "timestamp": "2026-04-16 20:00:13,486",
            "thread_id": "4344",
            "caller": "0x07c6a1fa",
            "parentcaller": "0x07c6310a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02fa2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1533
          },
          {
            "timestamp": "2026-04-16 20:00:13,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c63128",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f86000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1534
          },
          {
            "timestamp": "2026-04-16 20:00:13,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c63128",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f80000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1535
          },
          {
            "timestamp": "2026-04-16 20:00:13,564",
            "thread_id": "4344",
            "caller": "0x07c63128",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f8a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1536
          },
          {
            "timestamp": "2026-04-16 20:00:13,564",
            "thread_id": "4344",
            "caller": "0x07c63128",
            "parentcaller": "0x07c60076",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f87000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1537
          },
          {
            "timestamp": "2026-04-16 20:00:13,689",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000003b0"
              },
              {
                "name": "SubKey",
                "value": "policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a"
              }
            ],
            "repeated": 0,
            "id": 1538
          },
          {
            "timestamp": "2026-04-16 20:00:13,689",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\1c22df2f\\4f99a7c9"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9"
              }
            ],
            "repeated": 0,
            "id": 1539
          },
          {
            "timestamp": "2026-04-16 20:00:13,689",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_32\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a"
              }
            ],
            "repeated": 0,
            "id": 1540
          },
          {
            "timestamp": "2026-04-16 20:00:13,705",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a"
              }
            ],
            "repeated": 0,
            "id": 1541
          },
          {
            "timestamp": "2026-04-16 20:00:13,705",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll"
              }
            ],
            "repeated": 0,
            "id": 1542
          },
          {
            "timestamp": "2026-04-16 20:00:13,705",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 1543
          },
          {
            "timestamp": "2026-04-16 20:00:13,705",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003d0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1544
          },
          {
            "timestamp": "2026-04-16 20:00:13,893",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000003d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000003d0"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll"
              }
            ],
            "repeated": 0,
            "id": 1545
          },
          {
            "timestamp": "2026-04-16 20:00:13,893",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x40000003",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000003d4"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07cd0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fc3b8"
              },
              {
                "name": "ViewSize",
                "value": "0x000a6000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1546
          },
          {
            "timestamp": "2026-04-16 20:00:13,893",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x40000003",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000003d4"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07dc0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fc3b8"
              },
              {
                "name": "ViewSize",
                "value": "0x000a6000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1547
          },
          {
            "timestamp": "2026-04-16 20:00:13,893",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07cd0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 1548
          },
          {
            "timestamp": "2026-04-16 20:00:14,174",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 1549
          },
          {
            "timestamp": "2026-04-16 20:00:14,174",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": false,
            "return": "0xffffffffffffffff",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.INI"
              }
            ],
            "repeated": 0,
            "id": 1550
          },
          {
            "timestamp": "2026-04-16 20:00:14,283",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ee4000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1551
          },
          {
            "timestamp": "2026-04-16 20:00:14,283",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07eea000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1552
          },
          {
            "timestamp": "2026-04-16 20:00:14,283",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f76000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1553
          },
          {
            "timestamp": "2026-04-16 20:00:14,283",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07eeb000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1554
          },
          {
            "timestamp": "2026-04-16 20:00:14,299",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1555
          },
          {
            "timestamp": "2026-04-16 20:00:14,299",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003d0"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 1556
          },
          {
            "timestamp": "2026-04-16 20:00:14,299",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003d8"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 1557
          },
          {
            "timestamp": "2026-04-16 20:00:14,299",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000002"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x07cd0000"
              }
            ],
            "repeated": 0,
            "id": 1558
          },
          {
            "timestamp": "2026-04-16 20:00:14,299",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x07cd0000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000009"
              }
            ],
            "repeated": 0,
            "id": 1559
          },
          {
            "timestamp": "2026-04-16 20:00:14,299",
            "thread_id": "4344",
            "caller": "0x07c6a318",
            "parentcaller": "0x07c63fb9",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 1560
          },
          {
            "timestamp": "2026-04-16 20:00:14,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c68867",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "VirtualAlloc"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76acf3c0"
              }
            ],
            "repeated": 0,
            "id": 1561
          },
          {
            "timestamp": "2026-04-16 20:00:14,408",
            "thread_id": "4344",
            "caller": "0x02f6a0d7",
            "parentcaller": "0x07c68867",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d80000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1562
          },
          {
            "timestamp": "2026-04-16 20:00:14,408",
            "thread_id": "4344",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 1563
          },
          {
            "timestamp": "2026-04-16 20:00:14,408",
            "thread_id": "4344",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000248"
              },
              {
                "name": "Milliseconds",
                "value": "3000"
              }
            ],
            "repeated": 0,
            "id": 1564
          },
          {
            "timestamp": "2026-04-16 20:00:14,408",
            "thread_id": "4344",
            "caller": "0x77265900",
            "parentcaller": "0x738d1083",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000248"
              }
            ],
            "repeated": 0,
            "id": 1565
          },
          {
            "timestamp": "2026-04-16 20:00:14,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "system",
            "api": "LdrLoadDll",
            "status": false,
            "return": "0xffffffffc0000135",
            "pretty_return": "DLL_NOT_FOUND",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\VERSION.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1566
          },
          {
            "timestamp": "2026-04-16 20:00:14,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\VERSION.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 1567
          },
          {
            "timestamp": "2026-04-16 20:00:14,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "VERSION.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x75460000"
              }
            ],
            "repeated": 0,
            "id": 1568
          },
          {
            "timestamp": "2026-04-16 20:00:14,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "VERSION.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75460000"
              },
              {
                "name": "FunctionName",
                "value": "GetFileVersionInfoSizeW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x754615c0"
              }
            ],
            "repeated": 0,
            "id": 1569
          },
          {
            "timestamp": "2026-04-16 20:00:14,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "filesystem",
            "api": "GetFileVersionInfoSizeW",
            "status": true,
            "return": "0x000007a4",
            "arguments": [
              {
                "name": "PathName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll"
              }
            ],
            "repeated": 0,
            "id": 1570
          },
          {
            "timestamp": "2026-04-16 20:00:14,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "VERSION.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75460000"
              },
              {
                "name": "FunctionName",
                "value": "GetFileVersionInfoW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x754615e0"
              }
            ],
            "repeated": 0,
            "id": 1571
          },
          {
            "timestamp": "2026-04-16 20:00:14,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "filesystem",
            "api": "GetFileVersionInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "PathName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll"
              }
            ],
            "repeated": 0,
            "id": 1572
          },
          {
            "timestamp": "2026-04-16 20:00:14,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "VERSION.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75460000"
              },
              {
                "name": "FunctionName",
                "value": "VerQueryValueW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75461560"
              }
            ],
            "repeated": 0,
            "id": 1573
          },
          {
            "timestamp": "2026-04-16 20:00:14,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000003b0"
              },
              {
                "name": "SubKey",
                "value": "policy.2.0.System.Windows.Forms__b77a5c561934e089"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089"
              }
            ],
            "repeated": 0,
            "id": 1574
          },
          {
            "timestamp": "2026-04-16 20:00:14,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0130e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1575
          },
          {
            "timestamp": "2026-04-16 20:00:14,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\61e7e666\\c991064"
              },
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064"
              }
            ],
            "repeated": 0,
            "id": 1576
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "Index",
                "value": "0"
              },
              {
                "name": "Name",
                "value": "e"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e"
              }
            ],
            "repeated": 0,
            "id": 1577
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": false,
            "return": "0x00000103",
            "pretty_return": "NO_MORE_ITEMS",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "Index",
                "value": "1"
              },
              {
                "name": "Name",
                "value": ""
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\"
              }
            ],
            "repeated": 0,
            "id": 1578
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 1579
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\61e7e666\\c991064\\e"
              },
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e"
              }
            ],
            "repeated": 0,
            "id": 1580
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "DisplayName"
              },
              {
                "name": "Data",
                "value": "System.Windows.Forms,2.0.0.0,,b77a5c561934e089"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\DisplayName"
              }
            ],
            "repeated": 0,
            "id": 1581
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "ConfigMask"
              },
              {
                "name": "Data",
                "value": "4361"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\ConfigMask"
              }
            ],
            "repeated": 0,
            "id": 1582
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "ConfigString"
              },
              {
                "name": "Data",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\ConfigString"
              }
            ],
            "repeated": 0,
            "id": 1583
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "MVID"
              },
              {
                "name": "Data",
                "value": "\\x19N\\x1e\\x92\\xbf\\xaeS\\x96\\x08e\\x18\\xc2\\xec\n\\x0ft"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\MVID"
              }
            ],
            "repeated": 0,
            "id": 1584
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 1585
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\61e7e666\\c991064\\e"
              },
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e"
              }
            ],
            "repeated": 0,
            "id": 1586
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "EvalationData"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\EvalationData"
              }
            ],
            "repeated": 0,
            "id": 1587
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Status"
              },
              {
                "name": "Data",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\Status"
              }
            ],
            "repeated": 0,
            "id": 1588
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "ILDependencies"
              },
              {
                "name": "Data",
                "value": "@\\xce]G\\xb6\\xf9\\x10\\x19\\x02\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00W\\x8d\\xab\\x19t&\\xa3.\\x07\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xac\\xd6-\\xb7\\xf8\\xf1%\\x03\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\xd4KB\\xd5\\x04\\xc5\\x0c\\x06\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00~L\\xc0AT\\xf5Wz\\x1d\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc5Y\\xed<\\x00\\xa2\\x0bb\\x0e\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x10\\x99\\x0cX\\xb0\\xeb\\x7f\\x1e\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\ILDependencies"
              }
            ],
            "repeated": 0,
            "id": 1589
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "NIDependencies"
              },
              {
                "name": "Data",
                "value": "\\xc68\\x19\\x18\\xc5\\xe2Py\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00O|\\xbc0O\\xfeP?\\x08\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\x06\\xca<\\xc0\\xd4\\xc7m\\x0f\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\NIDependencies"
              }
            ],
            "repeated": 0,
            "id": 1590
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "MissingDependencies"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\MissingDependencies"
              }
            ],
            "repeated": 0,
            "id": 1591
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 1592
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "IL\\475dce40\\1910f9b6\\2"
              },
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2"
              }
            ],
            "repeated": 0,
            "id": 1593
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "DisplayName"
              },
              {
                "name": "Data",
                "value": "System.Security,2.0.0.0,,b03f5f7f11d50a3a"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\DisplayName"
              }
            ],
            "repeated": 0,
            "id": 1594
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Status"
              },
              {
                "name": "Data",
                "value": "4098"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\Status"
              }
            ],
            "repeated": 0,
            "id": 1595
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Modules"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\Modules"
              }
            ],
            "repeated": 0,
            "id": 1596
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "SIG"
              },
              {
                "name": "Data",
                "value": "\\x08\\x03VdL\\xe0}B\\xb3\\x80\\x140i\\xbf^\\xfcT0=\\xdb\\xb5\\x9b\\x9b[1\\xba\\xbe\\xf8I\\x1e\n\\x06G\\xa7\\xbf "
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\SIG"
              }
            ],
            "repeated": 0,
            "id": 1597
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "LastModTime"
              },
              {
                "name": "Data",
                "value": "\\xa3k\\xc9@\\x07\\xac\\xdc\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\LastModTime"
              }
            ],
            "repeated": 0,
            "id": 1598
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 1599
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "IL\\2dd6ac50\\25f1f8b7\\3"
              },
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3"
              }
            ],
            "repeated": 0,
            "id": 1600
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "DisplayName"
              },
              {
                "name": "Data",
                "value": "Accessibility,2.0.0.0,,b03f5f7f11d50a3a"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\DisplayName"
              }
            ],
            "repeated": 0,
            "id": 1601
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Status"
              },
              {
                "name": "Data",
                "value": "4098"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\Status"
              }
            ],
            "repeated": 0,
            "id": 1602
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Modules"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\Modules"
              }
            ],
            "repeated": 0,
            "id": 1603
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "SIG"
              },
              {
                "name": "Data",
                "value": "z\\xb1\\xaa^\\x82\\x82\\x9bJ\\x84\\x94\\xe5%\\x92\\xf5P\r\\xd2\\xaf\\x11Z\\xf2&\\x19R\\x02V\\x821_\\\\xabW\\xeb\\xe8\\xb4\\xef"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\SIG"
              }
            ],
            "repeated": 0,
            "id": 1604
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "LastModTime"
              },
              {
                "name": "Data",
                "value": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\LastModTime"
              }
            ],
            "repeated": 0,
            "id": 1605
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 1606
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "IL\\41c04c7e\\7a57f554\\1d"
              },
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d"
              }
            ],
            "repeated": 0,
            "id": 1607
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "DisplayName"
              },
              {
                "name": "Data",
                "value": "System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\DisplayName"
              }
            ],
            "repeated": 0,
            "id": 1608
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Status"
              },
              {
                "name": "Data",
                "value": "4098"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\Status"
              }
            ],
            "repeated": 0,
            "id": 1609
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Modules"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\Modules"
              }
            ],
            "repeated": 0,
            "id": 1610
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "SIG"
              },
              {
                "name": "Data",
                "value": "P\\xd0O\\xcbR]\\x90@\\x85\\x86M\\x87\\x82\r\\xa8\\xdd~\\x17\\xf4\\xe2\\x84\\xca\\x8c\\xfd-\\xacs\\xce\\xf7 \\xc3/\\xb3\\xcft\\xbf"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\SIG"
              }
            ],
            "repeated": 0,
            "id": 1611
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "LastModTime"
              },
              {
                "name": "Data",
                "value": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\LastModTime"
              }
            ],
            "repeated": 0,
            "id": 1612
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 1613
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "IL\\3ced59c5\\620ba200\\e"
              },
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e"
              }
            ],
            "repeated": 0,
            "id": 1614
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "DisplayName"
              },
              {
                "name": "Data",
                "value": "System.Deployment,2.0.0.0,,b03f5f7f11d50a3a"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\DisplayName"
              }
            ],
            "repeated": 0,
            "id": 1615
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Status"
              },
              {
                "name": "Data",
                "value": "4098"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\Status"
              }
            ],
            "repeated": 0,
            "id": 1616
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Modules"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\Modules"
              }
            ],
            "repeated": 0,
            "id": 1617
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "SIG"
              },
              {
                "name": "Data",
                "value": "\\xe1\\x8a\\xf5\\x0e\\xe2q\\x8bN\\x97\nB#\\x17\\x8a\\xe6\\xf3\\xe4i\\x1a\\xeeJVa\\\\xcb\\x0ff)\\x08UQ\\x86\\x80E\\x08\\x1a"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\SIG"
              }
            ],
            "repeated": 0,
            "id": 1618
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "LastModTime"
              },
              {
                "name": "Data",
                "value": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\LastModTime"
              }
            ],
            "repeated": 0,
            "id": 1619
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 1620
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "IL\\c991064\\7febb058\\1e"
              },
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e"
              }
            ],
            "repeated": 0,
            "id": 1621
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "DisplayName"
              },
              {
                "name": "Data",
                "value": "System.Windows.Forms,2.0.0.0,,b77a5c561934e089"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\DisplayName"
              }
            ],
            "repeated": 0,
            "id": 1622
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Status"
              },
              {
                "name": "Data",
                "value": "4098"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\Status"
              }
            ],
            "repeated": 0,
            "id": 1623
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Modules"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\Modules"
              }
            ],
            "repeated": 0,
            "id": 1624
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "SIG"
              },
              {
                "name": "Data",
                "value": "\\x84\\xda\\xb9\\xe2\\xe1\\5I\\x8c\\xe5a\\xb1\\xb8\\x91\\xd5\\xf7\\xeeKz\\x06#R\\x17\\xc9\\xbf0\\xed\\xbb\\x91p\\x9a#Zk@\\xd5"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\SIG"
              }
            ],
            "repeated": 0,
            "id": 1625
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "LastModTime"
              },
              {
                "name": "Data",
                "value": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\LastModTime"
              }
            ],
            "repeated": 0,
            "id": 1626
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 1627
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\3cca06a0\\6dc7d4c0\\f"
              },
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f"
              }
            ],
            "repeated": 0,
            "id": 1628
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "DisplayName"
              },
              {
                "name": "Data",
                "value": "System.Drawing,2.0.0.0,,b03f5f7f11d50a3a"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\DisplayName"
              }
            ],
            "repeated": 0,
            "id": 1629
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "ConfigMask"
              },
              {
                "name": "Data",
                "value": "4361"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\ConfigMask"
              }
            ],
            "repeated": 0,
            "id": 1630
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "ConfigString"
              },
              {
                "name": "Data",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\ConfigString"
              }
            ],
            "repeated": 0,
            "id": 1631
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "MVID"
              },
              {
                "name": "Data",
                "value": "\\xa0=\\xd8\\x87\\x19)\\x95\\h\\x022h,\\x94d\\xa0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\MVID"
              }
            ],
            "repeated": 0,
            "id": 1632
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "EvalationData"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\EvalationData"
              }
            ],
            "repeated": 0,
            "id": 1633
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Status"
              },
              {
                "name": "Data",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\Status"
              }
            ],
            "repeated": 0,
            "id": 1634
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "ILDependencies"
              },
              {
                "name": "Data",
                "value": "\\xc0\\xd4\\xc7m\\x16\\x96\\x94$\\x10\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\ILDependencies"
              }
            ],
            "repeated": 0,
            "id": 1635
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "NIDependencies"
              },
              {
                "name": "Data",
                "value": "\\xc68\\x19\\x18\\xc5\\xe2Py\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00O|\\xbc0O\\xfeP?\\x08\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\NIDependencies"
              }
            ],
            "repeated": 0,
            "id": 1636
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "MissingDependencies"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\MissingDependencies"
              }
            ],
            "repeated": 0,
            "id": 1637
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 1638
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "IL\\6dc7d4c0\\24949616\\10"
              },
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10"
              }
            ],
            "repeated": 0,
            "id": 1639
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "DisplayName"
              },
              {
                "name": "Data",
                "value": "System.Drawing,2.0.0.0,,b03f5f7f11d50a3a"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\DisplayName"
              }
            ],
            "repeated": 0,
            "id": 1640
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Status"
              },
              {
                "name": "Data",
                "value": "4098"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\Status"
              }
            ],
            "repeated": 0,
            "id": 1641
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Modules"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\Modules"
              }
            ],
            "repeated": 0,
            "id": 1642
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "SIG"
              },
              {
                "name": "Data",
                "value": "\\x7fX\\xbb\\xfa\\x0e\\xf2\\xcbD\\x91\\xf4^\\x19\\xf6\r\r\\x0c\\xab\\x0eq\\xfcgB\\x12\\xe3\\xe8\\xe5\\x99Q\\x80\\xb8\\x0bu\\xdc\\x16\\x14?"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\SIG"
              }
            ],
            "repeated": 0,
            "id": 1643
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "LastModTime"
              },
              {
                "name": "Data",
                "value": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\LastModTime"
              }
            ],
            "repeated": 0,
            "id": 1644
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 1645
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL"
              },
              {
                "name": "Data",
                "value": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL"
              }
            ],
            "repeated": 0,
            "id": 1646
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000003b0"
              },
              {
                "name": "SubKey",
                "value": "policy.2.0.System.Drawing__b03f5f7f11d50a3a"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a"
              }
            ],
            "repeated": 0,
            "id": 1647
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
              },
              {
                "name": "Data",
                "value": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
              }
            ],
            "repeated": 0,
            "id": 1648
          },
          {
            "timestamp": "2026-04-16 20:00:14,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 1649
          },
          {
            "timestamp": "2026-04-16 20:00:15,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\a03dd8871929955c680232682c9464a0\\System.Drawing.ni"
              },
              {
                "name": "DllBase",
                "value": "0x72240000"
              }
            ],
            "repeated": 0,
            "id": 1650
          },
          {
            "timestamp": "2026-04-16 20:00:15,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\a03dd8871929955c680232682c9464a0\\System.Drawing.ni.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x72240000"
              }
            ],
            "repeated": 0,
            "id": 1651
          },
          {
            "timestamp": "2026-04-16 20:00:15,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x72240000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\a03dd8871929955c680232682c9464a0\\System.Drawing.ni.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 1652
          },
          {
            "timestamp": "2026-04-16 20:00:15,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000003b0"
              },
              {
                "name": "SubKey",
                "value": "policy.2.0.System.Deployment__b03f5f7f11d50a3a"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a"
              }
            ],
            "repeated": 0,
            "id": 1653
          },
          {
            "timestamp": "2026-04-16 20:00:15,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
              },
              {
                "name": "Data",
                "value": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
              }
            ],
            "repeated": 0,
            "id": 1654
          },
          {
            "timestamp": "2026-04-16 20:00:15,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000003b0"
              },
              {
                "name": "SubKey",
                "value": "policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a"
              }
            ],
            "repeated": 0,
            "id": 1655
          },
          {
            "timestamp": "2026-04-16 20:00:15,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
              },
              {
                "name": "Data",
                "value": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
              }
            ],
            "repeated": 0,
            "id": 1656
          },
          {
            "timestamp": "2026-04-16 20:00:15,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000003b0"
              },
              {
                "name": "SubKey",
                "value": "policy.2.0.Accessibility__b03f5f7f11d50a3a"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a"
              }
            ],
            "repeated": 0,
            "id": 1657
          },
          {
            "timestamp": "2026-04-16 20:00:15,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
              },
              {
                "name": "Data",
                "value": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
              }
            ],
            "repeated": 0,
            "id": 1658
          },
          {
            "timestamp": "2026-04-16 20:00:15,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000003b0"
              },
              {
                "name": "SubKey",
                "value": "policy.2.0.System.Security__b03f5f7f11d50a3a"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a"
              }
            ],
            "repeated": 0,
            "id": 1659
          },
          {
            "timestamp": "2026-04-16 20:00:15,080",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
              },
              {
                "name": "Data",
                "value": "\\xa3k\\xc9@\\x07\\xac\\xdc\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL"
              }
            ],
            "repeated": 0,
            "id": 1660
          },
          {
            "timestamp": "2026-04-16 20:00:15,080",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 1661
          },
          {
            "timestamp": "2026-04-16 20:00:15,721",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\194e1e92bfae5396086518c2ec0a0f74\\System.Windows.Forms.ni"
              },
              {
                "name": "DllBase",
                "value": "0x71660000"
              }
            ],
            "repeated": 0,
            "id": 1662
          },
          {
            "timestamp": "2026-04-16 20:00:15,721",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\194e1e92bfae5396086518c2ec0a0f74\\System.Windows.Forms.ni.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x71660000"
              }
            ],
            "repeated": 0,
            "id": 1663
          },
          {
            "timestamp": "2026-04-16 20:00:15,721",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x71660000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\194e1e92bfae5396086518c2ec0a0f74\\System.Windows.Forms.ni.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 1664
          },
          {
            "timestamp": "2026-04-16 20:00:15,768",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 3,
            "id": 1665
          },
          {
            "timestamp": "2026-04-16 20:00:15,768",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "MSCORWKS.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x737e0000"
              }
            ],
            "repeated": 0,
            "id": 1666
          },
          {
            "timestamp": "2026-04-16 20:00:15,768",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "mscorjit.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x72b80000"
              }
            ],
            "repeated": 0,
            "id": 1667
          },
          {
            "timestamp": "2026-04-16 20:00:15,768",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": false,
            "return": "0xffffffffffffffff",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI"
              }
            ],
            "repeated": 0,
            "id": 1668
          },
          {
            "timestamp": "2026-04-16 20:00:15,768",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 3,
            "id": 1669
          },
          {
            "timestamp": "2026-04-16 20:00:15,768",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "MSCORWKS.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x737e0000"
              }
            ],
            "repeated": 0,
            "id": 1670
          },
          {
            "timestamp": "2026-04-16 20:00:15,768",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "mscorjit.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x72b80000"
              }
            ],
            "repeated": 0,
            "id": 1671
          },
          {
            "timestamp": "2026-04-16 20:00:15,768",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": false,
            "return": "0xffffffffffffffff",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI"
              }
            ],
            "repeated": 0,
            "id": 1672
          },
          {
            "timestamp": "2026-04-16 20:00:15,783",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f77000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1673
          },
          {
            "timestamp": "2026-04-16 20:00:15,783",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x06c0f000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1674
          },
          {
            "timestamp": "2026-04-16 20:00:15,877",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f78000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1675
          },
          {
            "timestamp": "2026-04-16 20:00:15,908",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "user32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x75d10000"
              }
            ],
            "repeated": 0,
            "id": 1676
          },
          {
            "timestamp": "2026-04-16 20:00:15,908",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x75d10000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "user32.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1677
          },
          {
            "timestamp": "2026-04-16 20:00:15,908",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07eec000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1678
          },
          {
            "timestamp": "2026-04-16 20:00:15,908",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "RegisterWindowMessage"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1679
          },
          {
            "timestamp": "2026-04-16 20:00:15,908",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "RegisterWindowMessageW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d4f550"
              }
            ],
            "repeated": 0,
            "id": 1680
          },
          {
            "timestamp": "2026-04-16 20:00:15,908",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f79000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1681
          },
          {
            "timestamp": "2026-04-16 20:00:15,908",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00d91000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1682
          },
          {
            "timestamp": "2026-04-16 20:00:15,908",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01310000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1683
          },
          {
            "timestamp": "2026-04-16 20:00:15,924",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d90000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1684
          },
          {
            "timestamp": "2026-04-16 20:00:15,924",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d90000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1685
          },
          {
            "timestamp": "2026-04-16 20:00:15,924",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d90000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1686
          },
          {
            "timestamp": "2026-04-16 20:00:15,924",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d90000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1687
          },
          {
            "timestamp": "2026-04-16 20:00:15,924",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d90000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1688
          },
          {
            "timestamp": "2026-04-16 20:00:15,924",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d90000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1689
          },
          {
            "timestamp": "2026-04-16 20:00:15,971",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6ae83",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetCurrentProcess"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad2e80"
              }
            ],
            "repeated": 0,
            "id": 1690
          },
          {
            "timestamp": "2026-04-16 20:00:15,971",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6ae83",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetCurrentProcessW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1691
          },
          {
            "timestamp": "2026-04-16 20:00:15,971",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6ae83",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "OpenProcessToken"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebea30"
              }
            ],
            "repeated": 0,
            "id": 1692
          },
          {
            "timestamp": "2026-04-16 20:00:15,971",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6ae83",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "OpenProcessTokenW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1693
          },
          {
            "timestamp": "2026-04-16 20:00:15,971",
            "thread_id": "4344",
            "caller": "0x02f6b1e2",
            "parentcaller": "0x07c6ae83",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000"
              },
              {
                "name": "TokenHandle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 1694
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x07c6aefe",
            "parentcaller": "0x07c6adc1",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetCurrentProcess"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad2e80"
              }
            ],
            "repeated": 0,
            "id": 1695
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x07c6aefe",
            "parentcaller": "0x07c6adc1",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetCurrentThread"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ace7b0"
              }
            ],
            "repeated": 0,
            "id": 1696
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6aefe",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "DuplicateHandle"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad2ef0"
              }
            ],
            "repeated": 0,
            "id": 1697
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x02f6b2c4",
            "parentcaller": "0x07c6aefe",
            "category": "system",
            "api": "NtDuplicateObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SourceProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "SourceHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "TargetProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "TargetHandle",
                "value": "0x000003cc"
              },
              {
                "name": "Options",
                "value": "0x00000002"
              }
            ],
            "repeated": 0,
            "id": 1698
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x07c6aefe",
            "parentcaller": "0x07c6adc1",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetCurrentThreadId"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76acdf10"
              }
            ],
            "repeated": 0,
            "id": 1699
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x07c6aefe",
            "parentcaller": "0x07c6adc1",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetSystemMetrics"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d44920"
              }
            ],
            "repeated": 0,
            "id": 1700
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6aefe",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetModuleHandle"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1701
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6aefe",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetModuleHandleW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad0e50"
              }
            ],
            "repeated": 0,
            "id": 1702
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x02f6b11a",
            "parentcaller": "0x07c6aefe",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "user32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              }
            ],
            "repeated": 0,
            "id": 1703
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6aefe",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetProcAddress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76acf550"
              }
            ],
            "repeated": 0,
            "id": 1704
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x02f6b3b0",
            "parentcaller": "0x07c6aefe",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "DefWindowProcW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ec7fa0"
              }
            ],
            "repeated": 0,
            "id": 1705
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6aefe",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "gdi32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x76a80000"
              }
            ],
            "repeated": 0,
            "id": 1706
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6aefe",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x76a80000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "gdi32.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1707
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6aefe",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetStockObject"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a85e50"
              }
            ],
            "repeated": 0,
            "id": 1708
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x07c6aefe",
            "parentcaller": "0x07c6adc1",
            "category": "system",
            "api": "GetUserDefaultLCID",
            "status": true,
            "return": "0x00000419",
            "arguments": [
              {
                "name": "SystemDefaultLangID",
                "value": "0x00000419"
              },
              {
                "name": "LanguageName",
                "value": "Russian"
              }
            ],
            "repeated": 2,
            "id": 1709
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6aefe",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "RegisterClass"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1710
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6aefe",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "RegisterClassW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d3f1d0"
              }
            ],
            "repeated": 0,
            "id": 1711
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x02f6a1c2",
            "parentcaller": "0x07c6aefe",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ole32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77060000"
              },
              {
                "name": "FunctionName",
                "value": "CoTaskMemAlloc"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77c57f90"
              }
            ],
            "repeated": 0,
            "id": 1712
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x02f6a1dd",
            "parentcaller": "0x07c6aefe",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ole32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77060000"
              },
              {
                "name": "FunctionName",
                "value": "CoTaskMemFree"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77c583b0"
              }
            ],
            "repeated": 0,
            "id": 1713
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6aefe",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "CreateWindowEx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1714
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6aefe",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "CreateWindowExW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d3f220"
              }
            ],
            "repeated": 0,
            "id": 1715
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SetWindowLong"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1716
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SetWindowLongW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d45420"
              }
            ],
            "repeated": 0,
            "id": 1717
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetWindowLong"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1718
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetWindowLongW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d48510"
              }
            ],
            "repeated": 0,
            "id": 1719
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x02f623e7",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "RegCloseKey"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebeb20"
              }
            ],
            "repeated": 0,
            "id": 1720
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "RegOpenKeyEx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1721
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "RegOpenKeyExW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebe9b0"
              }
            ],
            "repeated": 0,
            "id": 1722
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x02f6b74b",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x000003d8"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 1723
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "RegQueryValueEx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1724
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "RegQueryValueExW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebe8e0"
              }
            ],
            "repeated": 0,
            "id": 1725
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x02f6b84e",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "DbgJITDebugLaunchSetting"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting"
              }
            ],
            "repeated": 0,
            "id": 1726
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x02f6b84e",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "DbgManagedDebugger"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger"
              }
            ],
            "repeated": 0,
            "id": 1727
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x02f6b54b",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 1728
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SetWindowLong"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1729
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SetWindowLongW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d45420"
              }
            ],
            "repeated": 0,
            "id": 1730
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x02f6b54b",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "CallWindowProc"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1731
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x02f6b54b",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "CallWindowProcW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d453f0"
              }
            ],
            "repeated": 0,
            "id": 1732
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetClientRect"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d44cc0"
              }
            ],
            "repeated": 0,
            "id": 1733
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetWindowRect"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d44a40"
              }
            ],
            "repeated": 0,
            "id": 1734
          },
          {
            "timestamp": "2026-04-16 20:00:15,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6aefe",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetParent"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d47310"
              }
            ],
            "repeated": 0,
            "id": 1735
          },
          {
            "timestamp": "2026-04-16 20:00:16,049",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6afd9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07c6b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1736
          },
          {
            "timestamp": "2026-04-16 20:00:16,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01312000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1737
          },
          {
            "timestamp": "2026-04-16 20:00:16,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000003b0"
              },
              {
                "name": "SubKey",
                "value": "policy.2.0.System.Runtime.Remoting__b77a5c561934e089"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Remoting__b77a5c561934e089"
              }
            ],
            "repeated": 0,
            "id": 1738
          },
          {
            "timestamp": "2026-04-16 20:00:16,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\432ba598\\f6e8397"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397"
              }
            ],
            "repeated": 0,
            "id": 1739
          },
          {
            "timestamp": "2026-04-16 20:00:16,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_32\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089"
              }
            ],
            "repeated": 0,
            "id": 1740
          },
          {
            "timestamp": "2026-04-16 20:00:16,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089"
              }
            ],
            "repeated": 0,
            "id": 1741
          },
          {
            "timestamp": "2026-04-16 20:00:16,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089\\System.Runtime.Remoting.dll"
              }
            ],
            "repeated": 0,
            "id": 1742
          },
          {
            "timestamp": "2026-04-16 20:00:16,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 1743
          },
          {
            "timestamp": "2026-04-16 20:00:16,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003dc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089\\System.Runtime.Remoting.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1744
          },
          {
            "timestamp": "2026-04-16 20:00:16,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000003e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000003dc"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089\\System.Runtime.Remoting.dll"
              }
            ],
            "repeated": 0,
            "id": 1745
          },
          {
            "timestamp": "2026-04-16 20:00:16,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x40000003",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000003e0"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07e70000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd228"
              },
              {
                "name": "ViewSize",
                "value": "0x0004c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1746
          },
          {
            "timestamp": "2026-04-16 20:00:16,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x40000003",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000003e0"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ef0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd228"
              },
              {
                "name": "ViewSize",
                "value": "0x0004c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1747
          },
          {
            "timestamp": "2026-04-16 20:00:16,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07e70000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 1748
          },
          {
            "timestamp": "2026-04-16 20:00:16,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 1749
          },
          {
            "timestamp": "2026-04-16 20:00:16,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": false,
            "return": "0xffffffffffffffff",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089\\System.Runtime.Remoting.INI"
              }
            ],
            "repeated": 0,
            "id": 1750
          },
          {
            "timestamp": "2026-04-16 20:00:16,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d90000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1751
          },
          {
            "timestamp": "2026-04-16 20:00:16,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d90000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1752
          },
          {
            "timestamp": "2026-04-16 20:00:16,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07da0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1753
          },
          {
            "timestamp": "2026-04-16 20:00:16,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07da0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1754
          },
          {
            "timestamp": "2026-04-16 20:00:16,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07da4000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1755
          },
          {
            "timestamp": "2026-04-16 20:00:16,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07da5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1756
          },
          {
            "timestamp": "2026-04-16 20:00:16,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003e4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089\\System.Runtime.Remoting.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1757
          },
          {
            "timestamp": "2026-04-16 20:00:16,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003dc"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089\\System.Runtime.Remoting.dll"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 1758
          },
          {
            "timestamp": "2026-04-16 20:00:16,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003e4"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089\\System.Runtime.Remoting.dll"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 1759
          },
          {
            "timestamp": "2026-04-16 20:00:16,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000002"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089\\System.Runtime.Remoting.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x07e70000"
              }
            ],
            "repeated": 0,
            "id": 1760
          },
          {
            "timestamp": "2026-04-16 20:00:16,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x07e70000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089\\System.Runtime.Remoting.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000009"
              }
            ],
            "repeated": 0,
            "id": 1761
          },
          {
            "timestamp": "2026-04-16 20:00:16,080",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003e4"
              }
            ],
            "repeated": 0,
            "id": 1762
          },
          {
            "timestamp": "2026-04-16 20:00:16,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01314000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1763
          },
          {
            "timestamp": "2026-04-16 20:00:16,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01315000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1764
          },
          {
            "timestamp": "2026-04-16 20:00:16,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d91000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1765
          },
          {
            "timestamp": "2026-04-16 20:00:16,205",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ec0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1766
          },
          {
            "timestamp": "2026-04-16 20:00:16,205",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ec0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1767
          },
          {
            "timestamp": "2026-04-16 20:00:16,205",
            "thread_id": "4344",
            "caller": "0x07c6b710",
            "parentcaller": "0x07c6b1e0",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ole32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77060000"
              },
              {
                "name": "FunctionName",
                "value": "IIDFromString"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77c59c70"
              }
            ],
            "repeated": 0,
            "id": 1768
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x02f6b1e2",
            "parentcaller": "0x07c6b261",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000"
              },
              {
                "name": "TokenHandle",
                "value": "0x000003f0"
              }
            ],
            "repeated": 0,
            "id": 1769
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x02f6b1e2",
            "parentcaller": "0x07c6b268",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000"
              },
              {
                "name": "TokenHandle",
                "value": "0x000003f4"
              }
            ],
            "repeated": 0,
            "id": 1770
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x07c6b268",
            "parentcaller": "0x07c6a856",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "LocalFree"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76acf530"
              }
            ],
            "repeated": 0,
            "id": 1771
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6b268",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "GetTokenInformation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebe690"
              }
            ],
            "repeated": 0,
            "id": 1772
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6b268",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "GetTokenInformationW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1773
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x02f6bbe2",
            "parentcaller": "0x07c6b268",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": false,
            "return": "0xffffffffc0000023",
            "pretty_return": "BUFFER_TOO_SMALL",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "1"
              },
              {
                "name": "TokenInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 1774
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6b268",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "LocalAlloc"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad0460"
              }
            ],
            "repeated": 0,
            "id": 1775
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6b268",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "LocalAllocW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1776
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x02f6bbe2",
            "parentcaller": "0x07c6b268",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "1"
              },
              {
                "name": "TokenInformation",
                "value": "@\\xba0\\x01\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1777
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6b268",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              },
              {
                "name": "FunctionName",
                "value": "ND_RU1"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x74173960"
              }
            ],
            "repeated": 0,
            "id": 1778
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x02f6bd95",
            "parentcaller": "0x07c6b268",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "ND_RU1_RetAddr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1779
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x02f6bd95",
            "parentcaller": "0x07c6b268",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "ND_RU1"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e24630"
              }
            ],
            "repeated": 0,
            "id": 1780
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x07c6b268",
            "parentcaller": "0x07c6a856",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "LsaClose"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ed4de0"
              }
            ],
            "repeated": 0,
            "id": 1781
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x07c6b268",
            "parentcaller": "0x07c6a856",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "LsaFreeMemory"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ed4e80"
              }
            ],
            "repeated": 0,
            "id": 1782
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6b268",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "LsaOpenPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ed5020"
              }
            ],
            "repeated": 0,
            "id": 1783
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6b268",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "LsaOpenPolicyW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1784
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x02f6be6d",
            "parentcaller": "0x07c6b268",
            "category": "misc",
            "api": "LsaOpenPolicy",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 1785
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6b268",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "LsaLookupSids"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ed4ff0"
              }
            ],
            "repeated": 0,
            "id": 1786
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6b268",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "LsaLookupSidsW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1787
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6b268",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ec0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1788
          },
          {
            "timestamp": "2026-04-16 20:00:16,314",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6b268",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ec0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1789
          },
          {
            "timestamp": "2026-04-16 20:00:16,330",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1790
          },
          {
            "timestamp": "2026-04-16 20:00:16,330",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1791
          },
          {
            "timestamp": "2026-04-16 20:00:16,330",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6b27a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07da6000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1792
          },
          {
            "timestamp": "2026-04-16 20:00:16,424",
            "thread_id": "4344",
            "caller": "0x02f6be6d",
            "parentcaller": "0x07c6a856",
            "category": "misc",
            "api": "LsaOpenPolicy",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 1793
          },
          {
            "timestamp": "2026-04-16 20:00:16,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "LsaLookupNames2"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ed4f90"
              }
            ],
            "repeated": 0,
            "id": 1794
          },
          {
            "timestamp": "2026-04-16 20:00:16,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6a856",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "LsaLookupNames2W"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1795
          },
          {
            "timestamp": "2026-04-16 20:00:16,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6b2ea",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CreateEvent"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1796
          },
          {
            "timestamp": "2026-04-16 20:00:16,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6b2ea",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CreateEventW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad2f60"
              }
            ],
            "repeated": 0,
            "id": 1797
          },
          {
            "timestamp": "2026-04-16 20:00:16,455",
            "thread_id": "4344",
            "caller": "0x07ec02de",
            "parentcaller": "0x07c6b2ea",
            "category": "synchronization",
            "api": "NtCreateEvent",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003fc"
              },
              {
                "name": "EventName",
                "value": "657166ec-df19-4a6c-af18-dcf7f06759c71.2Event"
              },
              {
                "name": "EventType",
                "value": "0"
              },
              {
                "name": "InitialState",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 1798
          },
          {
            "timestamp": "2026-04-16 20:00:16,455",
            "thread_id": "4344",
            "caller": "0x07ec02de",
            "parentcaller": "0x07c6b31b",
            "category": "synchronization",
            "api": "NtCreateEvent",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003f8"
              },
              {
                "name": "EventName",
                "value": "657166ec-df19-4a6c-af18-dcf7f06759c71.2Event2"
              },
              {
                "name": "EventType",
                "value": "1"
              },
              {
                "name": "InitialState",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 1799
          },
          {
            "timestamp": "2026-04-16 20:00:16,502",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrLoadDll",
            "status": false,
            "return": "0xffffffffc0000135",
            "pretty_return": "DLL_NOT_FOUND",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ws2_32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1800
          },
          {
            "timestamp": "2026-04-16 20:00:16,518",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ws2_32.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 1801
          },
          {
            "timestamp": "2026-04-16 20:00:16,518",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ws2_32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x76640000"
              }
            ],
            "repeated": 0,
            "id": 1802
          },
          {
            "timestamp": "2026-04-16 20:00:16,518",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x76640000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "ws2_32.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1803
          },
          {
            "timestamp": "2026-04-16 20:00:16,518",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WS2_32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76640000"
              },
              {
                "name": "FunctionName",
                "value": "WSAStartup"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76649cc0"
              }
            ],
            "repeated": 0,
            "id": 1804
          },
          {
            "timestamp": "2026-04-16 20:00:16,518",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x07c6bad6",
            "category": "network",
            "api": "WSAStartup",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "VersionRequested",
                "value": "0x00000202"
              }
            ],
            "repeated": 0,
            "id": 1805
          },
          {
            "timestamp": "2026-04-16 20:00:16,580",
            "thread_id": "4344",
            "caller": "0x02f6b74b",
            "parentcaller": "0x02f62420",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\Windows NT\\CurrentVersion"
              },
              {
                "name": "Handle",
                "value": "0x00000408"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion"
              }
            ],
            "repeated": 0,
            "id": 1806
          },
          {
            "timestamp": "2026-04-16 20:00:16,580",
            "thread_id": "4344",
            "caller": "0x02f6b84e",
            "parentcaller": "0x02f62420",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000408"
              },
              {
                "name": "ValueName",
                "value": "InstallationType"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType"
              }
            ],
            "repeated": 0,
            "id": 1807
          },
          {
            "timestamp": "2026-04-16 20:00:16,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "RegQueryValueEx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1808
          },
          {
            "timestamp": "2026-04-16 20:00:16,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "RegQueryValueExW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebe8e0"
              }
            ],
            "repeated": 0,
            "id": 1809
          },
          {
            "timestamp": "2026-04-16 20:00:16,580",
            "thread_id": "4344",
            "caller": "0x07ec0410",
            "parentcaller": "0x02f62420",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000408"
              },
              {
                "name": "ValueName",
                "value": "InstallationType"
              },
              {
                "name": "Data",
                "value": "Client"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType"
              }
            ],
            "repeated": 0,
            "id": 1810
          },
          {
            "timestamp": "2026-04-16 20:00:16,580",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6bad6",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000408"
              }
            ],
            "repeated": 0,
            "id": 1811
          },
          {
            "timestamp": "2026-04-16 20:00:16,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WS2_32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76640000"
              },
              {
                "name": "FunctionName",
                "value": "WSASocket"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1812
          },
          {
            "timestamp": "2026-04-16 20:00:16,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WS2_32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76640000"
              },
              {
                "name": "FunctionName",
                "value": "WSASocketW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x7664cbc0"
              }
            ],
            "repeated": 0,
            "id": 1813
          },
          {
            "timestamp": "2026-04-16 20:00:16,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0131a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1814
          },
          {
            "timestamp": "2026-04-16 20:00:16,580",
            "thread_id": "4344",
            "caller": "0x07ec04a4",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WS2_32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76640000"
              },
              {
                "name": "FunctionName",
                "value": "setsockopt"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x7664f070"
              }
            ],
            "repeated": 0,
            "id": 1815
          },
          {
            "timestamp": "2026-04-16 20:00:16,580",
            "thread_id": "4344",
            "caller": "0x07ec04a4",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WS2_32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76640000"
              },
              {
                "name": "FunctionName",
                "value": "WSAEventSelect"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x7664c860"
              }
            ],
            "repeated": 0,
            "id": 1816
          },
          {
            "timestamp": "2026-04-16 20:00:16,580",
            "thread_id": "4344",
            "caller": "0x07ec04a4",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WS2_32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76640000"
              },
              {
                "name": "FunctionName",
                "value": "ioctlsocket"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76652520"
              }
            ],
            "repeated": 0,
            "id": 1817
          },
          {
            "timestamp": "2026-04-16 20:00:16,580",
            "thread_id": "4344",
            "caller": "0x07ec04a4",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WS2_32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76640000"
              },
              {
                "name": "FunctionName",
                "value": "closesocket"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x7664ea60"
              }
            ],
            "repeated": 0,
            "id": 1818
          },
          {
            "timestamp": "2026-04-16 20:00:16,580",
            "thread_id": "4344",
            "caller": "0x07ec04c8",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\system32\\mswsock"
              },
              {
                "name": "DllBase",
                "value": "0x747c0000"
              }
            ],
            "repeated": 0,
            "id": 1819
          },
          {
            "timestamp": "2026-04-16 20:00:16,596",
            "thread_id": "4344",
            "caller": "0x07ec04c8",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\mswsock.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x747c0000"
              }
            ],
            "repeated": 0,
            "id": 1820
          },
          {
            "timestamp": "2026-04-16 20:00:16,596",
            "thread_id": "4344",
            "caller": "0x07ec04c8",
            "parentcaller": "0x07c6bad6",
            "category": "network",
            "api": "WSASocketW",
            "status": true,
            "return": "0x00000410",
            "arguments": [
              {
                "name": "af",
                "value": "2",
                "pretty_value": "AF_INET"
              },
              {
                "name": "type",
                "value": "2",
                "pretty_value": "SOCK_DGRAM"
              },
              {
                "name": "protocol",
                "value": "0"
              },
              {
                "name": "socket",
                "value": "1040"
              }
            ],
            "repeated": 0,
            "id": 1821
          },
          {
            "timestamp": "2026-04-16 20:00:16,596",
            "thread_id": "4344",
            "caller": "0x07ec059e",
            "parentcaller": "0x07c6bad6",
            "category": "network",
            "api": "setsockopt",
            "status": false,
            "return": "0xffffffffffffffff",
            "arguments": [
              {
                "name": "socket",
                "value": "1040"
              },
              {
                "name": "level",
                "value": "0x0000ffff"
              },
              {
                "name": "optname",
                "value": "0x00000080"
              },
              {
                "name": "optval",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1822
          },
          {
            "timestamp": "2026-04-16 20:00:16,596",
            "thread_id": "4344",
            "caller": "0x02f6b456",
            "parentcaller": "0x07c6bad6",
            "category": "network",
            "api": "closesocket",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "socket",
                "value": "1040"
              }
            ],
            "repeated": 0,
            "id": 1823
          },
          {
            "timestamp": "2026-04-16 20:00:16,596",
            "thread_id": "4344",
            "caller": "0x07ec04c8",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\mswsock.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x747c0000"
              }
            ],
            "repeated": 0,
            "id": 1824
          },
          {
            "timestamp": "2026-04-16 20:00:16,596",
            "thread_id": "4344",
            "caller": "0x07ec04c8",
            "parentcaller": "0x07c6bad6",
            "category": "network",
            "api": "WSASocketW",
            "status": true,
            "return": "0x00000410",
            "arguments": [
              {
                "name": "af",
                "value": "23",
                "pretty_value": "AF_INET6"
              },
              {
                "name": "type",
                "value": "2",
                "pretty_value": "SOCK_DGRAM"
              },
              {
                "name": "protocol",
                "value": "0"
              },
              {
                "name": "socket",
                "value": "1040"
              }
            ],
            "repeated": 0,
            "id": 1825
          },
          {
            "timestamp": "2026-04-16 20:00:16,596",
            "thread_id": "4344",
            "caller": "0x07ec059e",
            "parentcaller": "0x07c6bad6",
            "category": "network",
            "api": "setsockopt",
            "status": false,
            "return": "0xffffffffffffffff",
            "arguments": [
              {
                "name": "socket",
                "value": "1040"
              },
              {
                "name": "level",
                "value": "0x0000ffff"
              },
              {
                "name": "optname",
                "value": "0x00000080"
              },
              {
                "name": "optval",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1826
          },
          {
            "timestamp": "2026-04-16 20:00:16,596",
            "thread_id": "4344",
            "caller": "0x02f6b456",
            "parentcaller": "0x07c6bad6",
            "category": "network",
            "api": "closesocket",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "socket",
                "value": "1040"
              }
            ],
            "repeated": 0,
            "id": 1827
          },
          {
            "timestamp": "2026-04-16 20:00:16,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0131b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1828
          },
          {
            "timestamp": "2026-04-16 20:00:16,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\159a66b8\\424bd4d8"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8"
              }
            ],
            "repeated": 0,
            "id": 1829
          },
          {
            "timestamp": "2026-04-16 20:00:16,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 2,
            "id": 1830
          },
          {
            "timestamp": "2026-04-16 20:00:16,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000410"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1831
          },
          {
            "timestamp": "2026-04-16 20:00:16,627",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000414"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000410"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.configuration.dll"
              }
            ],
            "repeated": 0,
            "id": 1832
          },
          {
            "timestamp": "2026-04-16 20:00:16,627",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x40000003",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000414"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07f40000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fe1e8"
              },
              {
                "name": "ViewSize",
                "value": "0x0006c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1833
          },
          {
            "timestamp": "2026-04-16 20:00:16,627",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x40000003",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000414"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07fb0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fe1e8"
              },
              {
                "name": "ViewSize",
                "value": "0x0006c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1834
          },
          {
            "timestamp": "2026-04-16 20:00:16,627",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07f40000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 1835
          },
          {
            "timestamp": "2026-04-16 20:00:16,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": false,
            "return": "0xffffffffffffffff",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.INI"
              }
            ],
            "repeated": 0,
            "id": 1836
          },
          {
            "timestamp": "2026-04-16 20:00:16,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d92000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1837
          },
          {
            "timestamp": "2026-04-16 20:00:16,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07da7000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1838
          },
          {
            "timestamp": "2026-04-16 20:00:16,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07dab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1839
          },
          {
            "timestamp": "2026-04-16 20:00:16,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07dac000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1840
          },
          {
            "timestamp": "2026-04-16 20:00:16,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000041c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1841
          },
          {
            "timestamp": "2026-04-16 20:00:16,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000410"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.configuration.dll"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 1842
          },
          {
            "timestamp": "2026-04-16 20:00:16,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000041c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.configuration.dll"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 1843
          },
          {
            "timestamp": "2026-04-16 20:00:16,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000002"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x07f40000"
              }
            ],
            "repeated": 0,
            "id": 1844
          },
          {
            "timestamp": "2026-04-16 20:00:16,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x07f40000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000009"
              }
            ],
            "repeated": 0,
            "id": 1845
          },
          {
            "timestamp": "2026-04-16 20:00:16,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000041c"
              }
            ],
            "repeated": 0,
            "id": 1846
          },
          {
            "timestamp": "2026-04-16 20:00:16,861",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "filesystem",
            "api": "GetFileVersionInfoSizeW",
            "status": true,
            "return": "0x000007ec",
            "arguments": [
              {
                "name": "PathName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.dll"
              }
            ],
            "repeated": 0,
            "id": 1847
          },
          {
            "timestamp": "2026-04-16 20:00:16,861",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "filesystem",
            "api": "GetFileVersionInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "PathName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.dll"
              }
            ],
            "repeated": 0,
            "id": 1848
          },
          {
            "timestamp": "2026-04-16 20:00:16,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bd6a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f7d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1849
          },
          {
            "timestamp": "2026-04-16 20:00:16,971",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bdec",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d93000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1850
          },
          {
            "timestamp": "2026-04-16 20:00:16,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bdec",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d94000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1851
          },
          {
            "timestamp": "2026-04-16 20:00:17,002",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bf2b",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07c6c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1852
          },
          {
            "timestamp": "2026-04-16 20:00:17,174",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bffd",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d95000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1853
          },
          {
            "timestamp": "2026-04-16 20:00:17,174",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bffd",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0131d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1854
          },
          {
            "timestamp": "2026-04-16 20:00:17,174",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bffd",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07dad000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1855
          },
          {
            "timestamp": "2026-04-16 20:00:17,174",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bffd",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0131f000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1856
          },
          {
            "timestamp": "2026-04-16 20:00:17,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1857
          },
          {
            "timestamp": "2026-04-16 20:00:17,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1858
          },
          {
            "timestamp": "2026-04-16 20:00:17,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c292",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1859
          },
          {
            "timestamp": "2026-04-16 20:00:17,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c292",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1860
          },
          {
            "timestamp": "2026-04-16 20:00:17,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c345",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d96000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1861
          },
          {
            "timestamp": "2026-04-16 20:00:17,205",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c345",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1862
          },
          {
            "timestamp": "2026-04-16 20:00:17,205",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c345",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d97000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1863
          },
          {
            "timestamp": "2026-04-16 20:00:17,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c345",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08020000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1864
          },
          {
            "timestamp": "2026-04-16 20:00:17,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c345",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08030000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1865
          },
          {
            "timestamp": "2026-04-16 20:00:17,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1866
          },
          {
            "timestamp": "2026-04-16 20:00:17,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1867
          },
          {
            "timestamp": "2026-04-16 20:00:17,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1868
          },
          {
            "timestamp": "2026-04-16 20:00:17,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1869
          },
          {
            "timestamp": "2026-04-16 20:00:17,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c345",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1870
          },
          {
            "timestamp": "2026-04-16 20:00:17,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c345",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08050000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1871
          },
          {
            "timestamp": "2026-04-16 20:00:17,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c345",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1872
          },
          {
            "timestamp": "2026-04-16 20:00:17,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c345",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07c6d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1873
          },
          {
            "timestamp": "2026-04-16 20:00:17,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c345",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07dae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1874
          },
          {
            "timestamp": "2026-04-16 20:00:17,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c345",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1875
          },
          {
            "timestamp": "2026-04-16 20:00:17,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c345",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08050000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1876
          },
          {
            "timestamp": "2026-04-16 20:00:17,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c345",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1877
          },
          {
            "timestamp": "2026-04-16 20:00:17,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c345",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08030000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1878
          },
          {
            "timestamp": "2026-04-16 20:00:17,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c345",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08020000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1879
          },
          {
            "timestamp": "2026-04-16 20:00:17,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c345",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1880
          },
          {
            "timestamp": "2026-04-16 20:00:17,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c00c",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f7e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1881
          },
          {
            "timestamp": "2026-04-16 20:00:17,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c00c",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1882
          },
          {
            "timestamp": "2026-04-16 20:00:17,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6c00c",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1883
          },
          {
            "timestamp": "2026-04-16 20:00:17,439",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1884
          },
          {
            "timestamp": "2026-04-16 20:00:17,439",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1885
          },
          {
            "timestamp": "2026-04-16 20:00:17,439",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6dcd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01320000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1886
          },
          {
            "timestamp": "2026-04-16 20:00:17,439",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6dcd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1887
          },
          {
            "timestamp": "2026-04-16 20:00:17,439",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6dcd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07c6e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1888
          },
          {
            "timestamp": "2026-04-16 20:00:17,439",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6dcd7",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1889
          },
          {
            "timestamp": "2026-04-16 20:00:17,439",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1890
          },
          {
            "timestamp": "2026-04-16 20:00:17,439",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1891
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6e2e4",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1892
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6e2e4",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07daf000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1893
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6e2e4",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1894
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01321000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1895
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\6faf58\\19ab8d57"
              },
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57"
              }
            ],
            "repeated": 0,
            "id": 1896
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "Index",
                "value": "0"
              },
              {
                "name": "Name",
                "value": "7"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7"
              }
            ],
            "repeated": 0,
            "id": 1897
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegEnumKeyExW",
            "status": false,
            "return": "0x00000103",
            "pretty_return": "NO_MORE_ITEMS",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "Index",
                "value": "1"
              },
              {
                "name": "Name",
                "value": ""
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\"
              }
            ],
            "repeated": 0,
            "id": 1898
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              }
            ],
            "repeated": 0,
            "id": 1899
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\6faf58\\19ab8d57\\7"
              },
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7"
              }
            ],
            "repeated": 0,
            "id": 1900
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "ValueName",
                "value": "DisplayName"
              },
              {
                "name": "Data",
                "value": "System.Xml,2.0.0.0,,b77a5c561934e089"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\DisplayName"
              }
            ],
            "repeated": 0,
            "id": 1901
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "ValueName",
                "value": "ConfigMask"
              },
              {
                "name": "Data",
                "value": "4361"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\ConfigMask"
              }
            ],
            "repeated": 0,
            "id": 1902
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "ValueName",
                "value": "ConfigString"
              },
              {
                "name": "Data",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\ConfigString"
              }
            ],
            "repeated": 0,
            "id": 1903
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "ValueName",
                "value": "MVID"
              },
              {
                "name": "Data",
                "value": "\\xba\\xe2N\\x9b\\xcb\\xc0\\x1b\\xb2\\xa0\\xedO\\xa7Q4pA"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\MVID"
              }
            ],
            "repeated": 0,
            "id": 1904
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              }
            ],
            "repeated": 0,
            "id": 1905
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\6faf58\\19ab8d57\\7"
              },
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7"
              }
            ],
            "repeated": 0,
            "id": 1906
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "ValueName",
                "value": "EvalationData"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\EvalationData"
              }
            ],
            "repeated": 0,
            "id": 1907
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "ValueName",
                "value": "Status"
              },
              {
                "name": "Data",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\Status"
              }
            ],
            "repeated": 0,
            "id": 1908
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "ValueName",
                "value": "ILDependencies"
              },
              {
                "name": "Data",
                "value": "\\xd8\\xd4KB\\xd5\\x04\\xc5\\x0c\\x06\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xee\\x8fcu';Y\\x11\\x05\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00W\\x8d\\xab\\x19t&\\xa3.\\x07\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\ILDependencies"
              }
            ],
            "repeated": 0,
            "id": 1909
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "ValueName",
                "value": "NIDependencies"
              },
              {
                "name": "Data",
                "value": "\\xc68\\x19\\x18\\xc5\\xe2Py\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00O|\\xbc0O\\xfeP?\\x08\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\NIDependencies"
              }
            ],
            "repeated": 0,
            "id": 1910
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "ValueName",
                "value": "MissingDependencies"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\MissingDependencies"
              }
            ],
            "repeated": 0,
            "id": 1911
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              }
            ],
            "repeated": 0,
            "id": 1912
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "IL\\75638fee\\11593b27\\5"
              },
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5"
              }
            ],
            "repeated": 0,
            "id": 1913
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "ValueName",
                "value": "DisplayName"
              },
              {
                "name": "Data",
                "value": "System.Data.SqlXml,2.0.0.0,,b77a5c561934e089"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\DisplayName"
              }
            ],
            "repeated": 0,
            "id": 1914
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "ValueName",
                "value": "Status"
              },
              {
                "name": "Data",
                "value": "4098"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\Status"
              }
            ],
            "repeated": 0,
            "id": 1915
          },
          {
            "timestamp": "2026-04-16 20:00:17,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "ValueName",
                "value": "Modules"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\Modules"
              }
            ],
            "repeated": 0,
            "id": 1916
          },
          {
            "timestamp": "2026-04-16 20:00:17,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "ValueName",
                "value": "SIG"
              },
              {
                "name": "Data",
                "value": "9S\\x1e/K\\x98DN\\xa1\\xa3^\\xba\\xd8\\xae\\xa3M\\x85\\x11\\x9b\\x17\\x815z^\\x15:\\xb8\\xb7\\x13\\x01\\xd4)\\xebl\\xb1\\x90"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\SIG"
              }
            ],
            "repeated": 0,
            "id": 1917
          },
          {
            "timestamp": "2026-04-16 20:00:17,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "ValueName",
                "value": "LastModTime"
              },
              {
                "name": "Data",
                "value": "\\x00\\xe8\\xdd\\xc5;\\xac\\xd5\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\LastModTime"
              }
            ],
            "repeated": 0,
            "id": 1918
          },
          {
            "timestamp": "2026-04-16 20:00:17,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              }
            ],
            "repeated": 0,
            "id": 1919
          },
          {
            "timestamp": "2026-04-16 20:00:17,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000003b0"
              },
              {
                "name": "SubKey",
                "value": "policy.2.0.System.Data.SqlXml__b77a5c561934e089"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089"
              }
            ],
            "repeated": 0,
            "id": 1920
          },
          {
            "timestamp": "2026-04-16 20:00:17,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL"
              },
              {
                "name": "Data",
                "value": "\\x00\\xe8\\xdd\\xc5;\\xac\\xd5\\x01"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL"
              }
            ],
            "repeated": 0,
            "id": 1921
          },
          {
            "timestamp": "2026-04-16 20:00:17,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 1922
          },
          {
            "timestamp": "2026-04-16 20:00:17,721",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\bae24e9bcbc01bb2a0ed4fa751347041\\System.Xml.ni"
              },
              {
                "name": "DllBase",
                "value": "0x71120000"
              }
            ],
            "repeated": 0,
            "id": 1923
          },
          {
            "timestamp": "2026-04-16 20:00:17,721",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\bae24e9bcbc01bb2a0ed4fa751347041\\System.Xml.ni.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x71120000"
              }
            ],
            "repeated": 0,
            "id": 1924
          },
          {
            "timestamp": "2026-04-16 20:00:17,721",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x71120000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\bae24e9bcbc01bb2a0ed4fa751347041\\System.Xml.ni.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 1925
          },
          {
            "timestamp": "2026-04-16 20:00:17,721",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 3,
            "id": 1926
          },
          {
            "timestamp": "2026-04-16 20:00:17,721",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "MSCORWKS.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x737e0000"
              }
            ],
            "repeated": 0,
            "id": 1927
          },
          {
            "timestamp": "2026-04-16 20:00:17,721",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "mscorjit.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x72b80000"
              }
            ],
            "repeated": 0,
            "id": 1928
          },
          {
            "timestamp": "2026-04-16 20:00:17,721",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": false,
            "return": "0xffffffffffffffff",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.INI"
              }
            ],
            "repeated": 0,
            "id": 1929
          },
          {
            "timestamp": "2026-04-16 20:00:17,736",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d98000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1930
          },
          {
            "timestamp": "2026-04-16 20:00:17,752",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1931
          },
          {
            "timestamp": "2026-04-16 20:00:17,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08020000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1932
          },
          {
            "timestamp": "2026-04-16 20:00:17,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08020000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1933
          },
          {
            "timestamp": "2026-04-16 20:00:17,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08020000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1934
          },
          {
            "timestamp": "2026-04-16 20:00:17,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08030000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1935
          },
          {
            "timestamp": "2026-04-16 20:00:17,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1936
          },
          {
            "timestamp": "2026-04-16 20:00:17,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07c6f000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1937
          },
          {
            "timestamp": "2026-04-16 20:00:17,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1938
          },
          {
            "timestamp": "2026-04-16 20:00:17,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08030000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1939
          },
          {
            "timestamp": "2026-04-16 20:00:17,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08020000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1940
          },
          {
            "timestamp": "2026-04-16 20:00:17,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6d375",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1941
          },
          {
            "timestamp": "2026-04-16 20:00:17,893",
            "thread_id": "4344",
            "caller": "0x07c6fa26",
            "parentcaller": "0x07c6f9ec",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1942
          },
          {
            "timestamp": "2026-04-16 20:00:17,893",
            "thread_id": "4344",
            "caller": "0x07c6fa26",
            "parentcaller": "0x07c6f9ec",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1943
          },
          {
            "timestamp": "2026-04-16 20:00:17,893",
            "thread_id": "4344",
            "caller": "0x02f6b1e2",
            "parentcaller": "0x07c6fa2d",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000"
              },
              {
                "name": "TokenHandle",
                "value": "0x0000041c"
              }
            ],
            "repeated": 0,
            "id": 1944
          },
          {
            "timestamp": "2026-04-16 20:00:17,893",
            "thread_id": "4344",
            "caller": "0x07c6fa94",
            "parentcaller": "0x07c6dc12",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework\\Policy\\AppPatch"
              },
              {
                "name": "Handle",
                "value": "0x00000418"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\AppPatch"
              }
            ],
            "repeated": 0,
            "id": 1945
          },
          {
            "timestamp": "2026-04-16 20:00:17,893",
            "thread_id": "4344",
            "caller": "0x07c6fa94",
            "parentcaller": "0x07c6dc12",
            "category": "filesystem",
            "api": "NtQueryFullAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319"
              }
            ],
            "repeated": 0,
            "id": 1946
          },
          {
            "timestamp": "2026-04-16 20:00:17,893",
            "thread_id": "4344",
            "caller": "0x07c6fa94",
            "parentcaller": "0x07c6dc12",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000418"
              },
              {
                "name": "SubKey",
                "value": "v4.0.30319.00000"
              },
              {
                "name": "Handle",
                "value": "0x00000420"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\AppPatch\\v4.0.30319.00000"
              }
            ],
            "repeated": 0,
            "id": 1947
          },
          {
            "timestamp": "2026-04-16 20:00:17,893",
            "thread_id": "4344",
            "caller": "0x07c6fa94",
            "parentcaller": "0x07c6dc12",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              }
            ],
            "repeated": 0,
            "id": 1948
          },
          {
            "timestamp": "2026-04-16 20:00:17,893",
            "thread_id": "4344",
            "caller": "0x07c6fa94",
            "parentcaller": "0x07c6dc12",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000420"
              },
              {
                "name": "SubKey",
                "value": "mscorwks.dll"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\AppPatch\\v4.0.30319.00000\\mscorwks.dll"
              }
            ],
            "repeated": 0,
            "id": 1949
          },
          {
            "timestamp": "2026-04-16 20:00:17,893",
            "thread_id": "4344",
            "caller": "0x07c6fa94",
            "parentcaller": "0x07c6dc12",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000420"
              }
            ],
            "repeated": 0,
            "id": 1950
          },
          {
            "timestamp": "2026-04-16 20:00:17,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6efbc",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08020000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1951
          },
          {
            "timestamp": "2026-04-16 20:00:17,908",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6efbc",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08020000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1952
          },
          {
            "timestamp": "2026-04-16 20:00:17,939",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6fec8",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1953
          },
          {
            "timestamp": "2026-04-16 20:00:17,939",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6fec8",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x77e40000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "ntdll.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1954
          },
          {
            "timestamp": "2026-04-16 20:00:17,939",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6fec8",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySystemInformation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb2df0"
              }
            ],
            "repeated": 0,
            "id": 1955
          },
          {
            "timestamp": "2026-04-16 20:00:17,939",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6fec8",
            "category": "misc",
            "api": "NtQuerySystemInformation",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemInformationClass",
                "value": "206"
              }
            ],
            "repeated": 0,
            "id": 1956
          },
          {
            "timestamp": "2026-04-16 20:00:17,939",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6ff2d",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetFileAttributesEx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1957
          },
          {
            "timestamp": "2026-04-16 20:00:17,939",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6ff2d",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetFileAttributesExW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad3330"
              }
            ],
            "repeated": 0,
            "id": 1958
          },
          {
            "timestamp": "2026-04-16 20:00:17,939",
            "thread_id": "4344",
            "caller": "0x07ec07b8",
            "parentcaller": "0x07c6ff2d",
            "category": "filesystem",
            "api": "NtQueryFullAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              }
            ],
            "repeated": 0,
            "id": 1959
          },
          {
            "timestamp": "2026-04-16 20:00:17,939",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6efe9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08020000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1960
          },
          {
            "timestamp": "2026-04-16 20:00:17,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6efe9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08020000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1961
          },
          {
            "timestamp": "2026-04-16 20:00:17,955",
            "thread_id": "4344",
            "caller": "0x07ec07b8",
            "parentcaller": "0x080202e5",
            "category": "filesystem",
            "api": "NtQueryFullAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              }
            ],
            "repeated": 0,
            "id": 1962
          },
          {
            "timestamp": "2026-04-16 20:00:18,002",
            "thread_id": "4344",
            "caller": "0x0802028a",
            "parentcaller": "0x080201eb",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "SetErrorMode"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad0610"
              }
            ],
            "repeated": 0,
            "id": 1963
          },
          {
            "timestamp": "2026-04-16 20:00:18,002",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802028a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CreateFile"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1964
          },
          {
            "timestamp": "2026-04-16 20:00:18,002",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802028a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CreateFileW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad3140"
              }
            ],
            "repeated": 0,
            "id": 1965
          },
          {
            "timestamp": "2026-04-16 20:00:18,002",
            "thread_id": "4344",
            "caller": "0x07ec08b7",
            "parentcaller": "0x0802028a",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000420"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1966
          },
          {
            "timestamp": "2026-04-16 20:00:18,002",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802028a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetFileType"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad3390"
              }
            ],
            "repeated": 0,
            "id": 1967
          },
          {
            "timestamp": "2026-04-16 20:00:18,033",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x02f62420",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000008"
              },
              {
                "name": "TokenHandle",
                "value": "0x00000418"
              }
            ],
            "repeated": 0,
            "id": 1968
          },
          {
            "timestamp": "2026-04-16 20:00:18,033",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x02f62420",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": false,
            "return": "0xffffffffc0000023",
            "pretty_return": "BUFFER_TOO_SMALL",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "1"
              },
              {
                "name": "TokenInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 1969
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x02f62420",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "1"
              },
              {
                "name": "TokenInformation",
                "value": "@\\xb70\\x01\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1970
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x02f62420",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000"
              },
              {
                "name": "Handle",
                "value": "0x00000424"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000"
              }
            ],
            "repeated": 0,
            "id": 1971
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x02f62420",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000424"
              }
            ],
            "repeated": 0,
            "id": 1972
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              }
            ],
            "repeated": 0,
            "id": 1973
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 1974
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x02f62420",
            "category": "filesystem",
            "api": "SHGetFolderPathW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Folder",
                "value": "0x0000801a",
                "pretty_value": "CSIDL_FLAG_CREATE|CSIDL_APPDATA"
              },
              {
                "name": "Path",
                "value": "C:\\Users\\cape\\AppData\\Roaming"
              }
            ],
            "repeated": 0,
            "id": 1975
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetFileAttributesEx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1976
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetFileAttributesExW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad3330"
              }
            ],
            "repeated": 0,
            "id": 1977
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x07ec07b8",
            "parentcaller": "0x02f62420",
            "category": "filesystem",
            "api": "NtQueryFullAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              }
            ],
            "repeated": 0,
            "id": 1978
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08030000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1979
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000418"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1980
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01323000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1981
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01324000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1982
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000418"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              },
              {
                "name": "Buffer",
                "value": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!--\r\n    Please refer to machine.config.comments for a description and\r\n    the default values of each configuration section.\r\n\r\n    For a full documentation of the schema please refer to\r\n    http://go.microsoft.com/"
              },
              {
                "name": "Length",
                "value": "4095"
              }
            ],
            "repeated": 0,
            "id": 1983
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01327000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1984
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x07ec0a45",
            "parentcaller": "0x02f62420",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05bb2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1985
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000418"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              },
              {
                "name": "Buffer",
                "value": "7a5c561934e089\">\r\n            <section name=\"schemaImporterExtensions\" type=\"System.Xml.Serialization.Configuration.SchemaImporterExtensionsSection, System.Xml, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"/>\r\n            <section name"
              },
              {
                "name": "Length",
                "value": "14601"
              }
            ],
            "repeated": 0,
            "id": 1986
          },
          {
            "timestamp": "2026-04-16 20:00:18,049",
            "thread_id": "4344",
            "caller": "0x07ec0a45",
            "parentcaller": "0x02f62420",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05bc2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1987
          },
          {
            "timestamp": "2026-04-16 20:00:18,064",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000418"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              },
              {
                "name": "Buffer",
                "value": "cKeyToken=b77a5c561934e089\"/>\r\n            <section name=\"net.pipe\" type=\"System.ServiceModel.Activation.Configuration.NetPipeSection, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"/>\r\n            <section name=\"net"
              },
              {
                "name": "Length",
                "value": "7339"
              }
            ],
            "repeated": 0,
            "id": 1988
          },
          {
            "timestamp": "2026-04-16 20:00:18,064",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0132c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1989
          },
          {
            "timestamp": "2026-04-16 20:00:18,064",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": false,
            "return": "0xffffffffc0000011",
            "pretty_return": "END_OF_FILE",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000418"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              },
              {
                "name": "Buffer",
                "value": ""
              },
              {
                "name": "Length",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 1990
          },
          {
            "timestamp": "2026-04-16 20:00:18,064",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              }
            ],
            "repeated": 0,
            "id": 1991
          },
          {
            "timestamp": "2026-04-16 20:00:18,064",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05bd2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1992
          },
          {
            "timestamp": "2026-04-16 20:00:18,111",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "CRYPTSP.dll"
              }
            ],
            "repeated": 0,
            "id": 1993
          },
          {
            "timestamp": "2026-04-16 20:00:18,111",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\CRYPTSP.dll"
              }
            ],
            "repeated": 0,
            "id": 1994
          },
          {
            "timestamp": "2026-04-16 20:00:18,111",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\cryptsp.dll"
              }
            ],
            "repeated": 0,
            "id": 1995
          },
          {
            "timestamp": "2026-04-16 20:00:18,111",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000418"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\cryptsp.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 1996
          },
          {
            "timestamp": "2026-04-16 20:00:18,111",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000428"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000418"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\cryptsp.dll"
              }
            ],
            "repeated": 0,
            "id": 1997
          },
          {
            "timestamp": "2026-04-16 20:00:18,111",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000428"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75280000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00013000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1998
          },
          {
            "timestamp": "2026-04-16 20:00:18,127",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000428"
              }
            ],
            "repeated": 0,
            "id": 1999
          },
          {
            "timestamp": "2026-04-16 20:00:18,127",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              }
            ],
            "repeated": 0,
            "id": 2000
          },
          {
            "timestamp": "2026-04-16 20:00:18,127",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "misc",
            "api": "RtlDosPathNameToNtPathName_U",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DosFileName",
                "value": "C:\\Windows\\SYSTEM32\\CRYPTSP.dll"
              }
            ],
            "repeated": 0,
            "id": 2001
          },
          {
            "timestamp": "2026-04-16 20:00:18,127",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000418"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020000",
                "pretty_value": "READ_CONTROL"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\cryptsp.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2002
          },
          {
            "timestamp": "2026-04-16 20:00:18,127",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000418"
              }
            ],
            "repeated": 0,
            "id": 2003
          },
          {
            "timestamp": "2026-04-16 20:00:18,127",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\CRYPTSP"
              },
              {
                "name": "DllBase",
                "value": "0x75280000"
              }
            ],
            "repeated": 0,
            "id": 2004
          },
          {
            "timestamp": "2026-04-16 20:00:18,127",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\cryptsp"
              },
              {
                "name": "BaseAddress",
                "value": "0x75280000"
              },
              {
                "name": "InitRoutine",
                "value": "0x75285d30"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 2005
          },
          {
            "timestamp": "2026-04-16 20:00:18,127",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\system32\\rsaenh"
              },
              {
                "name": "DllBase",
                "value": "0x74c10000"
              }
            ],
            "repeated": 0,
            "id": 2006
          },
          {
            "timestamp": "2026-04-16 20:00:18,127",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\rsaenh.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x74c10000"
              }
            ],
            "repeated": 0,
            "id": 2007
          },
          {
            "timestamp": "2026-04-16 20:00:18,127",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "crypto",
            "api": "CryptAcquireContextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Container",
                "value": ""
              },
              {
                "name": "Provider",
                "value": ""
              },
              {
                "name": "Flags",
                "value": "0xf0000000"
              }
            ],
            "repeated": 0,
            "id": 2008
          },
          {
            "timestamp": "2026-04-16 20:00:18,127",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x07c6f0b2",
            "category": "crypto",
            "api": "CryptGenRandom",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Buffer",
                "value": "\\xeb\\9?\\x86\\xf3\\xa8G"
              }
            ],
            "repeated": 0,
            "id": 2009
          },
          {
            "timestamp": "2026-04-16 20:00:18,143",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6f0b2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetFileSize"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad3360"
              }
            ],
            "repeated": 0,
            "id": 2010
          },
          {
            "timestamp": "2026-04-16 20:00:18,143",
            "thread_id": "4344",
            "caller": "0x07ec0b96",
            "parentcaller": "0x07c6f0b2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000420"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              },
              {
                "name": "FileInformationClass",
                "value": "5",
                "pretty_value": "FileStandardInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\xb3e\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2011
          },
          {
            "timestamp": "2026-04-16 20:00:18,143",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6f0b2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "ReadFile"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad34c0"
              }
            ],
            "repeated": 0,
            "id": 2012
          },
          {
            "timestamp": "2026-04-16 20:00:18,143",
            "thread_id": "4344",
            "caller": "0x07ec0c6f",
            "parentcaller": "0x07c6f0b2",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000420"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              },
              {
                "name": "Buffer",
                "value": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!--\r\n    Please refer to machine.config.comments for a description and\r\n    the default values of each configuration section.\r\n\r\n    For a full documentation of the schema please refer to\r\n    http://go.microsoft.com/"
              },
              {
                "name": "Length",
                "value": "4096"
              }
            ],
            "repeated": 0,
            "id": 2013
          },
          {
            "timestamp": "2026-04-16 20:00:18,143",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6f0e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2014
          },
          {
            "timestamp": "2026-04-16 20:00:18,143",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6f0e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2015
          },
          {
            "timestamp": "2026-04-16 20:00:18,143",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802058d",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d99000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2016
          },
          {
            "timestamp": "2026-04-16 20:00:18,143",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802058d",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2017
          },
          {
            "timestamp": "2026-04-16 20:00:18,158",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802058d",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08050000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2018
          },
          {
            "timestamp": "2026-04-16 20:00:18,158",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802058d",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2019
          },
          {
            "timestamp": "2026-04-16 20:00:18,158",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802058d",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08070000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2020
          },
          {
            "timestamp": "2026-04-16 20:00:18,158",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802058d",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08080000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2021
          },
          {
            "timestamp": "2026-04-16 20:00:18,158",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802058d",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08021000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2022
          },
          {
            "timestamp": "2026-04-16 20:00:18,158",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802058d",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed1000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2023
          },
          {
            "timestamp": "2026-04-16 20:00:18,158",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802058d",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08080000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2024
          },
          {
            "timestamp": "2026-04-16 20:00:18,158",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802058d",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08070000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2025
          },
          {
            "timestamp": "2026-04-16 20:00:18,158",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802058d",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2026
          },
          {
            "timestamp": "2026-04-16 20:00:18,158",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802058d",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08050000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2027
          },
          {
            "timestamp": "2026-04-16 20:00:18,174",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802058d",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2028
          },
          {
            "timestamp": "2026-04-16 20:00:18,174",
            "thread_id": "4344",
            "caller": "0x08020e98",
            "parentcaller": "0x0802058d",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02fa5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2029
          },
          {
            "timestamp": "2026-04-16 20:00:18,174",
            "thread_id": "4344",
            "caller": "0x08020e98",
            "parentcaller": "0x0802058d",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02fa0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2030
          },
          {
            "timestamp": "2026-04-16 20:00:18,314",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802173a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08022000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2031
          },
          {
            "timestamp": "2026-04-16 20:00:18,361",
            "thread_id": "4344",
            "caller": "0x07ec0c6f",
            "parentcaller": "0x0802074c",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000420"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              },
              {
                "name": "Buffer",
                "value": "a5c561934e089\">\r\n            <section name=\"schemaImporterExtensions\" type=\"System.Xml.Serialization.Configuration.SchemaImporterExtensionsSection, System.Xml, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"/>\r\n            <section name="
              },
              {
                "name": "Length",
                "value": "12288"
              }
            ],
            "repeated": 0,
            "id": 2032
          },
          {
            "timestamp": "2026-04-16 20:00:18,361",
            "thread_id": "4344",
            "caller": "0x0802094a",
            "parentcaller": "0x0802058d",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05be2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2033
          },
          {
            "timestamp": "2026-04-16 20:00:18,361",
            "thread_id": "4344",
            "caller": "0x07ec0c6f",
            "parentcaller": "0x0802074c",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000420"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              },
              {
                "name": "Buffer",
                "value": "77a5c561934e089\"/>\r\n            <section name=\"bindings\" type=\"System.ServiceModel.Configuration.BindingsSection, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"/>\r\n            <section name=\"client\" type=\"System.Ser"
              },
              {
                "name": "Length",
                "value": "4096"
              }
            ],
            "repeated": 0,
            "id": 2034
          },
          {
            "timestamp": "2026-04-16 20:00:18,361",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080223fd",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2035
          },
          {
            "timestamp": "2026-04-16 20:00:18,361",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080223fd",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08050000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2036
          },
          {
            "timestamp": "2026-04-16 20:00:18,361",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080223fd",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2037
          },
          {
            "timestamp": "2026-04-16 20:00:18,361",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080223fd",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08070000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2038
          },
          {
            "timestamp": "2026-04-16 20:00:18,377",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080223fd",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08080000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2039
          },
          {
            "timestamp": "2026-04-16 20:00:18,377",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080223fd",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08090000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2040
          },
          {
            "timestamp": "2026-04-16 20:00:18,377",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080223fd",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08023000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2041
          },
          {
            "timestamp": "2026-04-16 20:00:18,377",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080223fd",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2042
          },
          {
            "timestamp": "2026-04-16 20:00:18,377",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080223fd",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08090000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2043
          },
          {
            "timestamp": "2026-04-16 20:00:18,377",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080223fd",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08080000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2044
          },
          {
            "timestamp": "2026-04-16 20:00:18,377",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080223fd",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08070000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2045
          },
          {
            "timestamp": "2026-04-16 20:00:18,393",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080223fd",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2046
          },
          {
            "timestamp": "2026-04-16 20:00:18,393",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080223fd",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08050000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2047
          },
          {
            "timestamp": "2026-04-16 20:00:18,393",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080223fd",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2048
          },
          {
            "timestamp": "2026-04-16 20:00:18,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08023d6a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2049
          },
          {
            "timestamp": "2026-04-16 20:00:18,408",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08023d6a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08050000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2050
          },
          {
            "timestamp": "2026-04-16 20:00:18,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08023d6a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08024000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2051
          },
          {
            "timestamp": "2026-04-16 20:00:18,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08023d6a",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08050000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2052
          },
          {
            "timestamp": "2026-04-16 20:00:18,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08023d6a",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2053
          },
          {
            "timestamp": "2026-04-16 20:00:18,424",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08023506",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2054
          },
          {
            "timestamp": "2026-04-16 20:00:18,424",
            "thread_id": "4344",
            "caller": "0x07ec0c6f",
            "parentcaller": "0x08024c4a",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": false,
            "return": "0xffffffffc0000011",
            "pretty_return": "END_OF_FILE",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000420"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
              },
              {
                "name": "Buffer",
                "value": "mework Data Provider for Odbc\" type=\"System.Data.Odbc.OdbcFactory, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"/>\r\n           <add name=\"OleDb Data Provider\" invariant=\"System.Data.OleDb\" description=\".Net Framework Data "
              },
              {
                "name": "Length",
                "value": "5555"
              }
            ],
            "repeated": 0,
            "id": 2055
          },
          {
            "timestamp": "2026-04-16 20:00:18,439",
            "thread_id": "4344",
            "caller": "0x02f6a896",
            "parentcaller": "0x08024cb7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000420"
              }
            ],
            "repeated": 0,
            "id": 2056
          },
          {
            "timestamp": "2026-04-16 20:00:18,439",
            "thread_id": "4344",
            "caller": "0x02f6b1e2",
            "parentcaller": "0x07c6fa2d",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000"
              },
              {
                "name": "TokenHandle",
                "value": "0x00000434"
              }
            ],
            "repeated": 0,
            "id": 2057
          },
          {
            "timestamp": "2026-04-16 20:00:18,439",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6eae7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08025000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2058
          },
          {
            "timestamp": "2026-04-16 20:00:18,439",
            "thread_id": "4344",
            "caller": "0x02f6b1e2",
            "parentcaller": "0x07c6fa2d",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000"
              },
              {
                "name": "TokenHandle",
                "value": "0x00000428"
              }
            ],
            "repeated": 0,
            "id": 2059
          },
          {
            "timestamp": "2026-04-16 20:00:18,439",
            "thread_id": "4344",
            "caller": "0x02f6b1e2",
            "parentcaller": "0x07c6fa2d",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000"
              },
              {
                "name": "TokenHandle",
                "value": "0x00000420"
              }
            ],
            "repeated": 0,
            "id": 2060
          },
          {
            "timestamp": "2026-04-16 20:00:18,439",
            "thread_id": "4344",
            "caller": "0x07ec07b8",
            "parentcaller": "0x07c6ff2d",
            "category": "filesystem",
            "api": "NtQueryFullAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.config"
              }
            ],
            "repeated": 1,
            "id": 2061
          },
          {
            "timestamp": "2026-04-16 20:00:18,439",
            "thread_id": "4344",
            "caller": "0x02f6b1e2",
            "parentcaller": "0x07c6fa2d",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000"
              },
              {
                "name": "TokenHandle",
                "value": "0x00000438"
              }
            ],
            "repeated": 0,
            "id": 2062
          },
          {
            "timestamp": "2026-04-16 20:00:18,439",
            "thread_id": "4344",
            "caller": "0x02f6b1e2",
            "parentcaller": "0x07c6fa2d",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000"
              },
              {
                "name": "TokenHandle",
                "value": "0x0000043c"
              }
            ],
            "repeated": 0,
            "id": 2063
          },
          {
            "timestamp": "2026-04-16 20:00:18,455",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080251bc",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2064
          },
          {
            "timestamp": "2026-04-16 20:00:18,455",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080251bc",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08050000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2065
          },
          {
            "timestamp": "2026-04-16 20:00:18,455",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080251bc",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08050000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2066
          },
          {
            "timestamp": "2026-04-16 20:00:18,455",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080251bc",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2067
          },
          {
            "timestamp": "2026-04-16 20:00:18,455",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080253c9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2068
          },
          {
            "timestamp": "2026-04-16 20:00:18,455",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080253c9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2069
          },
          {
            "timestamp": "2026-04-16 20:00:18,471",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08025acd",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed4000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2070
          },
          {
            "timestamp": "2026-04-16 20:00:18,471",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08025e21",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              },
              {
                "name": "FunctionName",
                "value": "ND_RI2"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x74173a30"
              }
            ],
            "repeated": 0,
            "id": 2071
          },
          {
            "timestamp": "2026-04-16 20:00:18,471",
            "thread_id": "4344",
            "caller": "0x07ec0d29",
            "parentcaller": "0x08025e21",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "ND_RI2_RetAddr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2072
          },
          {
            "timestamp": "2026-04-16 20:00:18,471",
            "thread_id": "4344",
            "caller": "0x07ec0d29",
            "parentcaller": "0x08025e21",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "ND_RI2"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e24610"
              }
            ],
            "repeated": 0,
            "id": 2073
          },
          {
            "timestamp": "2026-04-16 20:00:18,486",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08025ea1",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08026000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2074
          },
          {
            "timestamp": "2026-04-16 20:00:18,486",
            "thread_id": "4344",
            "caller": "0x02f6b1e2",
            "parentcaller": "0x07c6fa2d",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000"
              },
              {
                "name": "TokenHandle",
                "value": "0x0000042c"
              }
            ],
            "repeated": 0,
            "id": 2075
          },
          {
            "timestamp": "2026-04-16 20:00:18,502",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08026162",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d9a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2076
          },
          {
            "timestamp": "2026-04-16 20:00:18,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2077
          },
          {
            "timestamp": "2026-04-16 20:00:18,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2078
          },
          {
            "timestamp": "2026-04-16 20:00:18,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08026791",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2079
          },
          {
            "timestamp": "2026-04-16 20:00:18,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08026791",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2080
          },
          {
            "timestamp": "2026-04-16 20:00:18,580",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802697d",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d9b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2081
          },
          {
            "timestamp": "2026-04-16 20:00:18,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080261d2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2082
          },
          {
            "timestamp": "2026-04-16 20:00:18,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080261d2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2083
          },
          {
            "timestamp": "2026-04-16 20:00:18,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080261d2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08050000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2084
          },
          {
            "timestamp": "2026-04-16 20:00:18,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080261d2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08027000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2085
          },
          {
            "timestamp": "2026-04-16 20:00:18,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080261d2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08050000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2086
          },
          {
            "timestamp": "2026-04-16 20:00:18,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080261d2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2087
          },
          {
            "timestamp": "2026-04-16 20:00:18,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080261ff",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2088
          },
          {
            "timestamp": "2026-04-16 20:00:18,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080261ff",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2089
          },
          {
            "timestamp": "2026-04-16 20:00:18,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080274f6",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2090
          },
          {
            "timestamp": "2026-04-16 20:00:18,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080274f6",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2091
          },
          {
            "timestamp": "2026-04-16 20:00:18,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08027c33",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2092
          },
          {
            "timestamp": "2026-04-16 20:00:18,596",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08027c33",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2093
          },
          {
            "timestamp": "2026-04-16 20:00:18,611",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08027fd0",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08028000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2094
          },
          {
            "timestamp": "2026-04-16 20:00:18,611",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08025eb4",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed6000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2095
          },
          {
            "timestamp": "2026-04-16 20:00:18,611",
            "thread_id": "4344",
            "caller": "0x02f6b1e2",
            "parentcaller": "0x07c6fa2d",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000"
              },
              {
                "name": "TokenHandle",
                "value": "0x00000440"
              }
            ],
            "repeated": 0,
            "id": 2096
          },
          {
            "timestamp": "2026-04-16 20:00:18,643",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802879d",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d9c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2097
          },
          {
            "timestamp": "2026-04-16 20:00:18,658",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08028efb",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08029000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2098
          },
          {
            "timestamp": "2026-04-16 20:00:18,658",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08028fb3",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2099
          },
          {
            "timestamp": "2026-04-16 20:00:18,658",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08028fb3",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2100
          },
          {
            "timestamp": "2026-04-16 20:00:18,658",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f82000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2101
          },
          {
            "timestamp": "2026-04-16 20:00:18,658",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05bf2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2102
          },
          {
            "timestamp": "2026-04-16 20:00:18,658",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetComputerName"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2103
          },
          {
            "timestamp": "2026-04-16 20:00:18,658",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetComputerNameW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad13a0"
              }
            ],
            "repeated": 0,
            "id": 2104
          },
          {
            "timestamp": "2026-04-16 20:00:18,658",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x07c6bad6",
            "category": "misc",
            "api": "GetComputerNameW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ComputerName",
                "value": "DESKTOP-PC01"
              }
            ],
            "repeated": 0,
            "id": 2105
          },
          {
            "timestamp": "2026-04-16 20:00:18,674",
            "thread_id": "4344",
            "caller": "0x02f6b74b",
            "parentcaller": "0x07c6bad6",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance"
              },
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance"
              }
            ],
            "repeated": 0,
            "id": 2106
          },
          {
            "timestamp": "2026-04-16 20:00:18,674",
            "thread_id": "4344",
            "caller": "0x02f6b84e",
            "parentcaller": "0x07c6bad6",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "ValueName",
                "value": "Library"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\Library"
              }
            ],
            "repeated": 0,
            "id": 2107
          },
          {
            "timestamp": "2026-04-16 20:00:18,689",
            "thread_id": "4344",
            "caller": "0x07ec0410",
            "parentcaller": "0x07c6bad6",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "ValueName",
                "value": "Library"
              },
              {
                "name": "Data",
                "value": "%systemroot%\\system32\\netfxperf.dll"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\Library"
              }
            ],
            "repeated": 0,
            "id": 2108
          },
          {
            "timestamp": "2026-04-16 20:00:18,689",
            "thread_id": "4344",
            "caller": "0x02f6b84e",
            "parentcaller": "0x07c6bad6",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "ValueName",
                "value": "IsMultiInstance"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\IsMultiInstance"
              }
            ],
            "repeated": 0,
            "id": 2109
          },
          {
            "timestamp": "2026-04-16 20:00:18,689",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "RegQueryValueEx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2110
          },
          {
            "timestamp": "2026-04-16 20:00:18,689",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "RegQueryValueExW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebe8e0"
              }
            ],
            "repeated": 0,
            "id": 2111
          },
          {
            "timestamp": "2026-04-16 20:00:18,689",
            "thread_id": "4344",
            "caller": "0x07ec0ebe",
            "parentcaller": "0x07c6bad6",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "ValueName",
                "value": "IsMultiInstance"
              },
              {
                "name": "Data",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\IsMultiInstance"
              }
            ],
            "repeated": 0,
            "id": 2112
          },
          {
            "timestamp": "2026-04-16 20:00:18,689",
            "thread_id": "4344",
            "caller": "0x02f6b84e",
            "parentcaller": "0x07c6bad6",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "ValueName",
                "value": "First Counter"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\First Counter"
              }
            ],
            "repeated": 0,
            "id": 2113
          },
          {
            "timestamp": "2026-04-16 20:00:18,689",
            "thread_id": "4344",
            "caller": "0x07ec0ebe",
            "parentcaller": "0x07c6bad6",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "ValueName",
                "value": "First Counter"
              },
              {
                "name": "Data",
                "value": "6828"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\First Counter"
              }
            ],
            "repeated": 0,
            "id": 2114
          },
          {
            "timestamp": "2026-04-16 20:00:18,689",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              }
            ],
            "repeated": 0,
            "id": 2115
          },
          {
            "timestamp": "2026-04-16 20:00:18,689",
            "thread_id": "4344",
            "caller": "0x02f6b74b",
            "parentcaller": "0x07c6bad6",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance"
              },
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance"
              }
            ],
            "repeated": 0,
            "id": 2116
          },
          {
            "timestamp": "2026-04-16 20:00:18,689",
            "thread_id": "4344",
            "caller": "0x02f6b84e",
            "parentcaller": "0x07c6bad6",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "ValueName",
                "value": "CategoryOptions"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\CategoryOptions"
              }
            ],
            "repeated": 0,
            "id": 2117
          },
          {
            "timestamp": "2026-04-16 20:00:18,689",
            "thread_id": "4344",
            "caller": "0x07ec0ebe",
            "parentcaller": "0x07c6bad6",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "ValueName",
                "value": "CategoryOptions"
              },
              {
                "name": "Data",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\CategoryOptions"
              }
            ],
            "repeated": 0,
            "id": 2118
          },
          {
            "timestamp": "2026-04-16 20:00:18,689",
            "thread_id": "4344",
            "caller": "0x02f6b84e",
            "parentcaller": "0x07c6bad6",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "ValueName",
                "value": "FileMappingSize"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\FileMappingSize"
              }
            ],
            "repeated": 0,
            "id": 2119
          },
          {
            "timestamp": "2026-04-16 20:00:18,689",
            "thread_id": "4344",
            "caller": "0x07ec0ebe",
            "parentcaller": "0x07c6bad6",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "ValueName",
                "value": "FileMappingSize"
              },
              {
                "name": "Data",
                "value": "131072"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\FileMappingSize"
              }
            ],
            "repeated": 0,
            "id": 2120
          },
          {
            "timestamp": "2026-04-16 20:00:18,689",
            "thread_id": "4344",
            "caller": "0x02f6b84e",
            "parentcaller": "0x07c6bad6",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "ValueName",
                "value": "Counter Names"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\Counter Names"
              }
            ],
            "repeated": 0,
            "id": 2121
          },
          {
            "timestamp": "2026-04-16 20:00:18,689",
            "thread_id": "4344",
            "caller": "0x02f6b84e",
            "parentcaller": "0x07c6bad6",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "ValueName",
                "value": "Counter Names"
              },
              {
                "name": "Data",
                "value": "C\\x00o\\x00n\\x00n\\x00e\\x00c\\x00t\\x00i\\x00o\\x00n\\x00s\\x00 \\x00E\\x00s\\x00t\\x00a\\x00b\\x00l\\x00i\\x00s\\x00h\\x00e\\x00d\\x00\\x00\\x00B\\x00y\\x00t\\x00e\\x00s\\x00 \\x00R\\x00e\\x00c\\x00e\\x00i\\x00v\\x00e\\x00d\\x00\\x00\\x00B\\x00y\\x00t\\x00e\\x00s\\x00 \\x00S\\x00e\\x00n\\x00t\\x00\\x00\\x00D\\x00a\\x00t\\x00a\\x00g\\x00r\\x00a\\x00m\\x00s\\x00 \\x00R\\x00e\\x00c\\x00e\\x00i\\x00v\\x00e\\x00d\\x00\\x00\\x00D\\x00a\\x00t\\x00a\\x00g\\x00r\\x00a\\x00m\\x00s\\x00 \\x00S\\x00e\\x00n\\x00t\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\Counter Names"
              }
            ],
            "repeated": 0,
            "id": 2122
          },
          {
            "timestamp": "2026-04-16 20:00:18,689",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "ConvertStringSecurityDescriptorToSecurityDescriptor"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2123
          },
          {
            "timestamp": "2026-04-16 20:00:18,689",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "ConvertStringSecurityDescriptorToSecurityDescriptorW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76eb86d0"
              }
            ],
            "repeated": 0,
            "id": 2124
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ec1000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2125
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07ec0f88",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "LocalFree"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76acf530"
              }
            ],
            "repeated": 0,
            "id": 2126
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CreateFileMapping"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2127
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CreateFileMappingW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad04a0"
              }
            ],
            "repeated": 0,
            "id": 2128
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07ec10ab",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CloseHandle"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad2ee0"
              }
            ],
            "repeated": 0,
            "id": 2129
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07ec10ab",
            "parentcaller": "0x07c6bad6",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000044c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0007",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_WRITE"
              },
              {
                "name": "ObjectAttributes",
                "value": "Global\\netfxcustomperfcounters.1.0.net clr networking"
              },
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2130
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "MapViewOfFile"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76acf590"
              }
            ],
            "repeated": 0,
            "id": 2131
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07ec1130",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "UnmapViewOfFile"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad05d0"
              }
            ],
            "repeated": 0,
            "id": 2132
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07ec115c",
            "parentcaller": "0x07c6bad6",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000044c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08040000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fe970"
              },
              {
                "name": "ViewSize",
                "value": "0x00020000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2133
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "VirtualQuery"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76acf570"
              }
            ],
            "repeated": 0,
            "id": 2134
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              }
            ],
            "repeated": 0,
            "id": 2135
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "ReleaseMutex"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad3050"
              }
            ],
            "repeated": 0,
            "id": 2136
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CreateWellKnownSid"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ec0440"
              }
            ],
            "repeated": 0,
            "id": 2137
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CreateWellKnownSidW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2138
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CreateMutex"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2139
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CreateMutexW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad2fa0"
              }
            ],
            "repeated": 0,
            "id": 2140
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07ec14d7",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2141
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "WaitForSingleObject"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad30d0"
              }
            ],
            "repeated": 0,
            "id": 2142
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2143
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 2144
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07ec14d7",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": false,
            "return": "0xffffffffc0000022",
            "pretty_return": "ACCESS_DENIED",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2145
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "OpenMutex"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2146
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "OpenMutexW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad3020"
              }
            ],
            "repeated": 0,
            "id": 2147
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07ec16a7",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtOpenMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000450"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              }
            ],
            "repeated": 0,
            "id": 2148
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2149
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000450"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 2150
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07ec1317",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000450"
              }
            ],
            "repeated": 1,
            "id": 2151
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "OpenProcess"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad0630"
              }
            ],
            "repeated": 0,
            "id": 2152
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "OpenProcessW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2153
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x02f6ad9b",
            "parentcaller": "0x07c6bad6",
            "category": "process",
            "api": "NtOpenProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000450"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000400",
                "pretty_value": "PROCESS_QUERY_INFORMATION"
              },
              {
                "name": "ProcessIdentifier",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2154
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetProcessTimes"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76acf320"
              }
            ],
            "repeated": 0,
            "id": 2155
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetProcessTimesW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2156
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x02f6a896",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000450"
              }
            ],
            "repeated": 0,
            "id": 2157
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07ec1317",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              }
            ],
            "repeated": 1,
            "id": 2158
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07ec14d7",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2159
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2160
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 2161
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2162
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "misc",
            "api": "NtQuerySystemInformation",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemInformationClass",
                "value": "44"
              }
            ],
            "repeated": 0,
            "id": 2163
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2164
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlGetSystemTimeAndBias"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ec7190"
              }
            ],
            "repeated": 0,
            "id": 2165
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\tzres.dll"
              }
            ],
            "repeated": 0,
            "id": 2166
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000450"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\tzres.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2167
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000454"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000005",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000450"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\tzres.dll"
              }
            ],
            "repeated": 0,
            "id": 2168
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x40000003",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000454"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00003000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2169
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000454"
              }
            ],
            "repeated": 0,
            "id": 2170
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000450"
              }
            ],
            "repeated": 0,
            "id": 2171
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "registry",
            "api": "NtOpenKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys"
              }
            ],
            "repeated": 0,
            "id": 2172
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000450"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
              }
            ],
            "repeated": 0,
            "id": 2173
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000450"
              },
              {
                "name": "ValueName",
                "value": "Latest"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest"
              }
            ],
            "repeated": 0,
            "id": 2174
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000450"
              }
            ],
            "repeated": 0,
            "id": 2175
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000450"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\tzres.dll.mui"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2176
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000454"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000450"
              },
              {
                "name": "FileName",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\tzres.dll.mui"
              }
            ],
            "repeated": 0,
            "id": 2177
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000454"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08070000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd558"
              },
              {
                "name": "ViewSize",
                "value": "0x0000e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2178
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000454"
              }
            ],
            "repeated": 0,
            "id": 2179
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08070000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              }
            ],
            "repeated": 0,
            "id": 2180
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000450"
              }
            ],
            "repeated": 0,
            "id": 2181
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\ru-RU\\tzres.dll.mui"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2182
          },
          {
            "timestamp": "2026-04-16 20:00:18,705",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000450"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\sysnative\\ru-RU\\tzres.dll.mui"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2183
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000444"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000450"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\ru-RU\\tzres.dll.mui"
              }
            ],
            "repeated": 0,
            "id": 2184
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000444"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08070000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd558"
              },
              {
                "name": "ViewSize",
                "value": "0x0000b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2185
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000444"
              }
            ],
            "repeated": 0,
            "id": 2186
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08070000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000b000"
              }
            ],
            "repeated": 0,
            "id": 2187
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000450"
              }
            ],
            "repeated": 0,
            "id": 2188
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              }
            ],
            "repeated": 0,
            "id": 2189
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\tzres.dll"
              }
            ],
            "repeated": 0,
            "id": 2190
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000450"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\tzres.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2191
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000444"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000005",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000450"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\tzres.dll"
              }
            ],
            "repeated": 0,
            "id": 2192
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x40000003",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000444"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00003000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2193
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000444"
              }
            ],
            "repeated": 0,
            "id": 2194
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000450"
              }
            ],
            "repeated": 0,
            "id": 2195
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000450"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
              }
            ],
            "repeated": 0,
            "id": 2196
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000450"
              },
              {
                "name": "ValueName",
                "value": "Latest"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest"
              }
            ],
            "repeated": 0,
            "id": 2197
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000450"
              }
            ],
            "repeated": 0,
            "id": 2198
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000450"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\tzres.dll.mui"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2199
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000444"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000450"
              },
              {
                "name": "FileName",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\tzres.dll.mui"
              }
            ],
            "repeated": 0,
            "id": 2200
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000444"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08070000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd558"
              },
              {
                "name": "ViewSize",
                "value": "0x0000e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2201
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000444"
              }
            ],
            "repeated": 0,
            "id": 2202
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08070000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              }
            ],
            "repeated": 0,
            "id": 2203
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000450"
              }
            ],
            "repeated": 0,
            "id": 2204
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\ru-RU\\tzres.dll.mui"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2205
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000450"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\sysnative\\ru-RU\\tzres.dll.mui"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2206
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000444"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000450"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\ru-RU\\tzres.dll.mui"
              }
            ],
            "repeated": 0,
            "id": 2207
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000444"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08070000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd558"
              },
              {
                "name": "ViewSize",
                "value": "0x0000b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2208
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000444"
              }
            ],
            "repeated": 0,
            "id": 2209
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08070000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000b000"
              }
            ],
            "repeated": 0,
            "id": 2210
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000450"
              }
            ],
            "repeated": 0,
            "id": 2211
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              }
            ],
            "repeated": 0,
            "id": 2212
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "misc",
            "api": "NtQuerySystemInformation",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemInformationClass",
                "value": "44"
              }
            ],
            "repeated": 0,
            "id": 2213
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2214
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07ec1317",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              }
            ],
            "repeated": 1,
            "id": 2215
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07ec14d7",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2216
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2217
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 2218
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2219
          },
          {
            "timestamp": "2026-04-16 20:00:18,721",
            "thread_id": "4344",
            "caller": "0x07ec1317",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              }
            ],
            "repeated": 1,
            "id": 2220
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec14d7",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2221
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2222
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 2223
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2224
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec1317",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              }
            ],
            "repeated": 1,
            "id": 2225
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec14d7",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2226
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2227
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 2228
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2229
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec1317",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              }
            ],
            "repeated": 1,
            "id": 2230
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec14d7",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2231
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2232
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 2233
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2234
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec1317",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              }
            ],
            "repeated": 1,
            "id": 2235
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec14d7",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2236
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2237
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 2238
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2239
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec1317",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              }
            ],
            "repeated": 1,
            "id": 2240
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec14d7",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2241
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2242
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 2243
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2244
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec1317",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              }
            ],
            "repeated": 1,
            "id": 2245
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec14d7",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2246
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2247
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 2248
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2249
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec1317",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              }
            ],
            "repeated": 1,
            "id": 2250
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec14d7",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2251
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2252
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x07c6bad6",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 2253
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07c6bad6",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2254
          },
          {
            "timestamp": "2026-04-16 20:00:18,736",
            "thread_id": "4344",
            "caller": "0x07ec1317",
            "parentcaller": "0x07c6bad6",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000448"
              }
            ],
            "repeated": 1,
            "id": 2255
          },
          {
            "timestamp": "2026-04-16 20:00:18,768",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bc10",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2256
          },
          {
            "timestamp": "2026-04-16 20:00:18,768",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6bc10",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2257
          },
          {
            "timestamp": "2026-04-16 20:00:18,768",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x080293d9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed7000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2258
          },
          {
            "timestamp": "2026-04-16 20:00:18,768",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08029406",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2259
          },
          {
            "timestamp": "2026-04-16 20:00:18,768",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08029406",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08070000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2260
          },
          {
            "timestamp": "2026-04-16 20:00:18,768",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08029406",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08070000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2261
          },
          {
            "timestamp": "2026-04-16 20:00:18,768",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08029406",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2262
          },
          {
            "timestamp": "2026-04-16 20:00:18,783",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08029406",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WS2_32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76640000"
              },
              {
                "name": "FunctionName",
                "value": "inet_addr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x766457e0"
              }
            ],
            "repeated": 0,
            "id": 2263
          },
          {
            "timestamp": "2026-04-16 20:00:18,799",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08029c58",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f7f000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2264
          },
          {
            "timestamp": "2026-04-16 20:00:18,799",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d9d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2265
          },
          {
            "timestamp": "2026-04-16 20:00:18,799",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08029f52",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0802a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2266
          },
          {
            "timestamp": "2026-04-16 20:00:18,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08029e5e",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed8000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2267
          },
          {
            "timestamp": "2026-04-16 20:00:18,814",
            "thread_id": "4344",
            "caller": "0x02f6b1e2",
            "parentcaller": "0x07c6fa2d",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000"
              },
              {
                "name": "TokenHandle",
                "value": "0x0000045c"
              }
            ],
            "repeated": 0,
            "id": 2268
          },
          {
            "timestamp": "2026-04-16 20:00:18,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802a98e",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2269
          },
          {
            "timestamp": "2026-04-16 20:00:18,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802a98e",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2270
          },
          {
            "timestamp": "2026-04-16 20:00:18,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802abcf",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2271
          },
          {
            "timestamp": "2026-04-16 20:00:18,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802abcf",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0802b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2272
          },
          {
            "timestamp": "2026-04-16 20:00:18,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802abcf",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08060000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2273
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x02f6b1e2",
            "parentcaller": "0x07c6fa2d",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000"
              },
              {
                "name": "TokenHandle",
                "value": "0x00000448"
              }
            ],
            "repeated": 0,
            "id": 2274
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x07ec04c8",
            "parentcaller": "0x08029e5e",
            "category": "network",
            "api": "WSASocketW",
            "status": true,
            "return": "0x00000450",
            "arguments": [
              {
                "name": "af",
                "value": "2",
                "pretty_value": "AF_INET"
              },
              {
                "name": "type",
                "value": "1",
                "pretty_value": "SOCK_STREAM"
              },
              {
                "name": "protocol",
                "value": "6",
                "pretty_value": "IPPROTO_TCP"
              },
              {
                "name": "socket",
                "value": "1104"
              }
            ],
            "repeated": 0,
            "id": 2275
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802b8cd",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WS2_32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76640000"
              },
              {
                "name": "FunctionName",
                "value": "setsockopt"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x7664f070"
              }
            ],
            "repeated": 0,
            "id": 2276
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x07ec0c6f",
            "parentcaller": "0x0802b8cd",
            "category": "network",
            "api": "setsockopt",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "socket",
                "value": "1104"
              },
              {
                "name": "level",
                "value": "0x0000ffff"
              },
              {
                "name": "optname",
                "value": "0xfffffffb"
              },
              {
                "name": "optval",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2277
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802b7c8",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WS2_32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76640000"
              },
              {
                "name": "FunctionName",
                "value": "bind"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x7664d890"
              }
            ],
            "repeated": 0,
            "id": 2278
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x07ec19e5",
            "parentcaller": "0x0802b7c8",
            "category": "network",
            "api": "bind",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "socket",
                "value": "1104"
              },
              {
                "name": "ip",
                "value": "127.0.0.1"
              },
              {
                "name": "port",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2279
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802b7c8",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WS2_32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76640000"
              },
              {
                "name": "FunctionName",
                "value": "listen"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76655d90"
              }
            ],
            "repeated": 0,
            "id": 2280
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x07ec15c2",
            "parentcaller": "0x0802b7c8",
            "category": "network",
            "api": "listen",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "socket",
                "value": "1104"
              }
            ],
            "repeated": 0,
            "id": 2281
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08029e70",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WS2_32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76640000"
              },
              {
                "name": "FunctionName",
                "value": "getsockname"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76652270"
              }
            ],
            "repeated": 0,
            "id": 2282
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x07ec1ac9",
            "parentcaller": "0x08029e70",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000450"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\Afd"
              },
              {
                "name": "IoControlCode",
                "value": "0x0001202f",
                "pretty_value": "IOCTL_AFD_GET_SOCK_NAME"
              },
              {
                "name": "InputBuffer",
                "value": ""
              },
              {
                "name": "OutputBuffer",
                "value": "\\x02\\x00\\xc3\\x00\\x7f\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2283
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802b848",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WS2_32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76640000"
              },
              {
                "name": "FunctionName",
                "value": "ioctlsocket"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76652520"
              }
            ],
            "repeated": 0,
            "id": 2284
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x07ec1ba5",
            "parentcaller": "0x0802b848",
            "category": "network",
            "api": "ioctlsocket",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "socket",
                "value": "1104"
              },
              {
                "name": "command",
                "value": "0x8004667e"
              }
            ],
            "repeated": 0,
            "id": 2285
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802b848",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WS2_32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76640000"
              },
              {
                "name": "FunctionName",
                "value": "accept"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x766569c0"
              }
            ],
            "repeated": 0,
            "id": 2286
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x07ec1c93",
            "parentcaller": "0x0802b848",
            "category": "network",
            "api": "accept",
            "status": false,
            "return": "0xffffffffffffffff",
            "arguments": [
              {
                "name": "socket",
                "value": "1104"
              },
              {
                "name": "ClientSocket",
                "value": "0xffffffff"
              },
              {
                "name": "ip_accept",
                "value": "127.0.0.1"
              },
              {
                "name": "port_accept",
                "value": "0"
              },
              {
                "name": "ip_client",
                "value": ""
              },
              {
                "name": "port_client",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2287
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802b848",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f9c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2288
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x0802b848",
            "parentcaller": "0x08029e70",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2289
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x0802b848",
            "parentcaller": "0x08029e70",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 2290
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x0802b848",
            "parentcaller": "0x08029e70",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CreateIoCompletionPort"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad22a0"
              }
            ],
            "repeated": 0,
            "id": 2291
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x0802b848",
            "parentcaller": "0x08029e70",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "PostQueuedCompletionStatus"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad2260"
              }
            ],
            "repeated": 0,
            "id": 2292
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x0802b848",
            "parentcaller": "0x08029e70",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2293
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x0802b848",
            "parentcaller": "0x08029e70",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x77e40000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "ntdll.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2294
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x0802b848",
            "parentcaller": "0x08029e70",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQueryInformationThread"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb2ce0"
              }
            ],
            "repeated": 0,
            "id": 2295
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x0802b848",
            "parentcaller": "0x08029e70",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySystemInformation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb2df0"
              }
            ],
            "repeated": 0,
            "id": 2296
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x0802b848",
            "parentcaller": "0x08029e70",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2297
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x0802b848",
            "parentcaller": "0x08029e70",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2298
          },
          {
            "timestamp": "2026-04-16 20:00:18,830",
            "thread_id": "4344",
            "caller": "0x0802b848",
            "parentcaller": "0x08029e70",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtGetCurrentProcessorNumber"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb39c0"
              }
            ],
            "repeated": 0,
            "id": 2299
          },
          {
            "timestamp": "2026-04-16 20:00:18,861",
            "thread_id": "4344",
            "caller": "0x0802b848",
            "parentcaller": "0x08029e70",
            "category": "threading",
            "api": "NtCreateThreadEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x00000474"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "StartAddress",
                "value": "0x73b239ab"
              },
              {
                "name": "Parameter",
                "value": "0x01324238"
              },
              {
                "name": "CreateFlags",
                "value": "0x00000001"
              },
              {
                "name": "ThreadId",
                "value": "5932"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "Module",
                "value": "mscorwks.dll"
              }
            ],
            "repeated": 0,
            "id": 2300
          },
          {
            "timestamp": "2026-04-16 20:00:18,861",
            "thread_id": "4344",
            "caller": "0x0802b848",
            "parentcaller": "0x08029e70",
            "category": "threading",
            "api": "CreateThread",
            "status": true,
            "return": "0x00000474",
            "arguments": [
              {
                "name": "StartRoutine",
                "value": "0x73b239ab"
              },
              {
                "name": "ModuleName",
                "value": "mscorwks.dll"
              },
              {
                "name": "Parameter",
                "value": "0x01324238"
              },
              {
                "name": "CreationFlags",
                "value": "0x00000004"
              },
              {
                "name": "ThreadId",
                "value": "5932"
              }
            ],
            "repeated": 0,
            "id": 2301
          },
          {
            "timestamp": "2026-04-16 20:00:18,861",
            "thread_id": "4344",
            "caller": "0x0802b848",
            "parentcaller": "0x08029e70",
            "category": "threading",
            "api": "NtResumeThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x00000474"
              },
              {
                "name": "SuspendCount",
                "value": "1"
              },
              {
                "name": "ThreadId",
                "value": "5932"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2302
          },
          {
            "timestamp": "2026-04-16 20:00:18,861",
            "thread_id": "4344",
            "caller": "0x0802b848",
            "parentcaller": "0x08029e70",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2303
          },
          {
            "timestamp": "2026-04-16 20:00:18,861",
            "thread_id": "4344",
            "caller": "0x0802b848",
            "parentcaller": "0x08029e70",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000470"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 2304
          },
          {
            "timestamp": "2026-04-16 20:00:18,877",
            "thread_id": "5932",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02e03000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2305
          },
          {
            "timestamp": "2026-04-16 20:00:18,877",
            "thread_id": "5932",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2c18",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 2,
            "id": 2306
          },
          {
            "timestamp": "2026-04-16 20:00:18,877",
            "thread_id": "5932",
            "caller": "0x77ea64d6",
            "parentcaller": "0x77ea63e1",
            "category": "threading",
            "api": "NtTestAlert",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2307
          },
          {
            "timestamp": "2026-04-16 20:00:18,877",
            "thread_id": "5932",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2308
          },
          {
            "timestamp": "2026-04-16 20:00:18,877",
            "thread_id": "5932",
            "caller": "0x77271454",
            "parentcaller": "0x7386c4c9",
            "category": "system",
            "api": "NtDuplicateObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SourceProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "SourceHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "TargetProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "TargetHandle",
                "value": "0x00000478"
              },
              {
                "name": "Options",
                "value": "0x00000002"
              }
            ],
            "repeated": 0,
            "id": 2309
          },
          {
            "timestamp": "2026-04-16 20:00:18,877",
            "thread_id": "5932",
            "caller": "0x7726269a",
            "parentcaller": "0x73aeacc4",
            "category": "system",
            "api": "NtClose",
            "status": false,
            "return": "0xffffffffc0000008",
            "pretty_return": "INVALID_HANDLE",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2310
          },
          {
            "timestamp": "2026-04-16 20:00:18,877",
            "thread_id": "5932",
            "caller": "0x7386aa35",
            "parentcaller": "0x7386aa9a",
            "category": "threading",
            "api": "SetThreadStackGuarantee",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "InputSize",
                "value": "4096"
              },
              {
                "name": "OutputSize",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2311
          },
          {
            "timestamp": "2026-04-16 20:00:18,877",
            "thread_id": "5932",
            "caller": "0x772761f1",
            "parentcaller": "0x7386ab1a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x080a1000"
              },
              {
                "name": "RegionSize",
                "value": "0x000fa000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2312
          },
          {
            "timestamp": "2026-04-16 20:00:18,877",
            "thread_id": "5932",
            "caller": "0x7727611b",
            "parentcaller": "0x73b23a22",
            "category": "system",
            "api": "NtDelayExecution",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Milliseconds",
                "value": "18446744073709551615"
              },
              {
                "name": "Status",
                "value": "Infinite"
              }
            ],
            "repeated": 0,
            "id": 2313
          },
          {
            "timestamp": "2026-04-16 20:00:18,877",
            "thread_id": "4344",
            "caller": "0x0802b848",
            "parentcaller": "0x08029e70",
            "category": "threading",
            "api": "NtQueueApcThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "ThreadId",
                "value": "5932"
              },
              {
                "name": "ThreadHandle",
                "value": "0x00000474"
              },
              {
                "name": "ApcRoutine",
                "value": "0x77e6c070"
              },
              {
                "name": "Module",
                "value": "ntdll.dll"
              },
              {
                "name": "Name",
                "value": "RtlDispatchAPC"
              }
            ],
            "repeated": 0,
            "id": 2314
          },
          {
            "timestamp": "2026-04-16 20:00:18,908",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802b848",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f63000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2315
          },
          {
            "timestamp": "2026-04-16 20:00:18,908",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802b848",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WS2_32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76640000"
              },
              {
                "name": "FunctionName",
                "value": "WSAEventSelect"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x7664c860"
              }
            ],
            "repeated": 0,
            "id": 2316
          },
          {
            "timestamp": "2026-04-16 20:00:18,908",
            "thread_id": "4344",
            "caller": "0x07ec1d90",
            "parentcaller": "0x0802b848",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000450"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\Afd"
              },
              {
                "name": "IoControlCode",
                "value": "0x0001203b",
                "pretty_value": "IOCTL_AFD_SET_INFO"
              },
              {
                "name": "InputBuffer",
                "value": "\\x02\\x00\\x00\\x00l\\x991\\x01\\x01\\xea\\x0f\\x01}\\xa8|t"
              },
              {
                "name": "OutputBuffer",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2317
          },
          {
            "timestamp": "2026-04-16 20:00:18,908",
            "thread_id": "4344",
            "caller": "0x07ec1d90",
            "parentcaller": "0x0802b848",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000450"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\Afd"
              },
              {
                "name": "IoControlCode",
                "value": "0x00012087",
                "pretty_value": "IOCTL_AFD_EVENT_SELECT"
              },
              {
                "name": "InputBuffer",
                "value": "D\\x04\\x00\\x00\\x80\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2318
          },
          {
            "timestamp": "2026-04-16 20:00:18,924",
            "thread_id": "4344",
            "caller": "0x07c6bc19",
            "parentcaller": "0x07c6b388",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ole32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77060000"
              },
              {
                "name": "FunctionName",
                "value": "CoCreateGuid"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77bf6f40"
              }
            ],
            "repeated": 0,
            "id": 2319
          },
          {
            "timestamp": "2026-04-16 20:00:18,924",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6b3a3",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ed9000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2320
          },
          {
            "timestamp": "2026-04-16 20:00:18,924",
            "thread_id": "4344",
            "caller": "0x02f6b1e2",
            "parentcaller": "0x0802ba08",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000"
              },
              {
                "name": "TokenHandle",
                "value": "0x0000048c"
              }
            ],
            "repeated": 0,
            "id": 2321
          },
          {
            "timestamp": "2026-04-16 20:00:18,924",
            "thread_id": "4344",
            "caller": "0x0802a3bd",
            "parentcaller": "0x0802bab3",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05c02000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2322
          },
          {
            "timestamp": "2026-04-16 20:00:18,924",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6b401",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d9e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2323
          },
          {
            "timestamp": "2026-04-16 20:00:18,924",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802bb64",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "Advapi32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x76ea0000"
              }
            ],
            "repeated": 0,
            "id": 2324
          },
          {
            "timestamp": "2026-04-16 20:00:18,924",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802bb64",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x76ea0000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "Advapi32.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2325
          },
          {
            "timestamp": "2026-04-16 20:00:18,924",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802bb64",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "ConvertStringSecurityDescriptorToSecurityDescriptor"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2326
          },
          {
            "timestamp": "2026-04-16 20:00:18,924",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802bb64",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "ConvertStringSecurityDescriptorToSecurityDescriptorW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76eb86d0"
              }
            ],
            "repeated": 0,
            "id": 2327
          },
          {
            "timestamp": "2026-04-16 20:00:18,924",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802bbd2",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "Kernel32"
              },
              {
                "name": "BaseAddress",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 2328
          },
          {
            "timestamp": "2026-04-16 20:00:18,924",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802bbd2",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x76ab0000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "Kernel32"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2329
          },
          {
            "timestamp": "2026-04-16 20:00:18,924",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802bbd2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CreateFileMapping"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2330
          },
          {
            "timestamp": "2026-04-16 20:00:18,924",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802bbd2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CreateFileMappingW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad04a0"
              }
            ],
            "repeated": 0,
            "id": 2331
          },
          {
            "timestamp": "2026-04-16 20:00:18,924",
            "thread_id": "4344",
            "caller": "0x07ec1f54",
            "parentcaller": "0x0802bbd2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000494"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0007",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_WRITE"
              },
              {
                "name": "ObjectAttributes",
                "value": "657166ec-df19-4a6c-af18-dcf7f06759c71.2Map"
              },
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2332
          },
          {
            "timestamp": "2026-04-16 20:00:18,924",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802bd95",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "LocalFree"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76acf530"
              }
            ],
            "repeated": 0,
            "id": 2333
          },
          {
            "timestamp": "2026-04-16 20:00:18,924",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802bc85",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "MapViewOfFile"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76acf590"
              }
            ],
            "repeated": 0,
            "id": 2334
          },
          {
            "timestamp": "2026-04-16 20:00:18,924",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802bc85",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "MapViewOfFileW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2335
          },
          {
            "timestamp": "2026-04-16 20:00:18,939",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802bc85",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ec2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2336
          },
          {
            "timestamp": "2026-04-16 20:00:18,939",
            "thread_id": "4344",
            "caller": "0x07ec1fea",
            "parentcaller": "0x0802bc85",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000494"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010feb88"
              },
              {
                "name": "ViewSize",
                "value": "0x00001000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2337
          },
          {
            "timestamp": "2026-04-16 20:00:18,939",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802bd1f",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "UnmapViewOfFile"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad05d0"
              }
            ],
            "repeated": 0,
            "id": 2338
          },
          {
            "timestamp": "2026-04-16 20:00:18,939",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802bd1f",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "UnmapViewOfFileW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2339
          },
          {
            "timestamp": "2026-04-16 20:00:18,939",
            "thread_id": "4344",
            "caller": "0x02f6acbe",
            "parentcaller": "0x0802bd1f",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2340
          },
          {
            "timestamp": "2026-04-16 20:00:18,939",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x07c6b40b",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "SetEvent"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad3080"
              }
            ],
            "repeated": 0,
            "id": 2341
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802be16",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0802c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2342
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c00c",
            "category": "system",
            "api": "LdrLoadDll",
            "status": false,
            "return": "0xffffffffc0000135",
            "pretty_return": "DLL_NOT_FOUND",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\uxtheme.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2343
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c00c",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\uxtheme.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 2344
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c00c",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "uxtheme.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x745d0000"
              }
            ],
            "repeated": 0,
            "id": 2345
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c00c",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x745d0000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "uxtheme.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2346
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c00c",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "uxtheme.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x745d0000"
              },
              {
                "name": "FunctionName",
                "value": "IsAppThemed"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x745fc880"
              }
            ],
            "repeated": 0,
            "id": 2347
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c00c",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "uxtheme.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x745d0000"
              },
              {
                "name": "FunctionName",
                "value": "IsAppThemedW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2348
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x0802c00c",
            "parentcaller": "0x0802be16",
            "category": "process",
            "api": "NtOpenSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000490"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000004"
              },
              {
                "name": "ObjectAttributes",
                "value": "\\Sessions\\1\\Windows\\ThemeSection"
              }
            ],
            "repeated": 0,
            "id": 2349
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x0802c00c",
            "parentcaller": "0x0802be16",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000490"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fe82c"
              },
              {
                "name": "ViewSize",
                "value": "0x00001000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2350
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x0802c00c",
            "parentcaller": "0x0802be16",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2351
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x0802c00c",
            "parentcaller": "0x0802be16",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000490"
              }
            ],
            "repeated": 0,
            "id": 2352
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x0802c00c",
            "parentcaller": "0x0802be16",
            "category": "misc",
            "api": "SystemParametersInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Action",
                "value": "0x00000042"
              },
              {
                "name": "uiParam",
                "value": "0x0000000c"
              }
            ],
            "repeated": 0,
            "id": 2353
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x0802c00c",
            "parentcaller": "0x0802be16",
            "category": "process",
            "api": "NtOpenSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000490"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000004"
              },
              {
                "name": "ObjectAttributes",
                "value": "\\Sessions\\1\\Windows\\ThemeSection"
              }
            ],
            "repeated": 0,
            "id": 2354
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x0802c00c",
            "parentcaller": "0x0802be16",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000490"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fe82c"
              },
              {
                "name": "ViewSize",
                "value": "0x00001000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2355
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x0802c00c",
            "parentcaller": "0x0802be16",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2356
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x0802c00c",
            "parentcaller": "0x0802be16",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000490"
              }
            ],
            "repeated": 0,
            "id": 2357
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c00c",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CreateActCtx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2358
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c00c",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CreateActCtxA"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76b08dc0"
              }
            ],
            "repeated": 0,
            "id": 2359
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x0802c00c",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000490"
              },
              {
                "name": "DesiredAccess",
                "value": "0x001200a9",
                "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2360
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x0802c00c",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000498"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000004",
                "pretty_value": "SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000490"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll"
              }
            ],
            "repeated": 0,
            "id": 2361
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x0802c00c",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x40000003",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000498"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x004ce000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2362
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x0802c00c",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000049c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
              }
            ],
            "repeated": 0,
            "id": 2363
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x0802c00c",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000049c"
              },
              {
                "name": "ValueName",
                "value": "PreferExternalManifest"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"
              }
            ],
            "repeated": 0,
            "id": 2364
          },
          {
            "timestamp": "2026-04-16 20:00:18,955",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x0802c00c",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000049c"
              }
            ],
            "repeated": 0,
            "id": 2365
          },
          {
            "timestamp": "2026-04-16 20:00:18,971",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x0802c00c",
            "category": "__notification__",
            "api": "sysenter",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadIdentifier",
                "value": "4344"
              },
              {
                "name": "Module",
                "value": "KERNEL32.dll"
              },
              {
                "name": "Return Address",
                "value": "0x76ad24ac"
              }
            ],
            "repeated": 0,
            "id": 2366
          },
          {
            "timestamp": "2026-04-16 20:00:18,986",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x0802c00c",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000490"
              }
            ],
            "repeated": 0,
            "id": 2367
          },
          {
            "timestamp": "2026-04-16 20:00:18,986",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x0802c00c",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000498"
              }
            ],
            "repeated": 0,
            "id": 2368
          },
          {
            "timestamp": "2026-04-16 20:00:18,986",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x0802c00c",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 2369
          },
          {
            "timestamp": "2026-04-16 20:00:19,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2370
          },
          {
            "timestamp": "2026-04-16 20:00:19,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2371
          },
          {
            "timestamp": "2026-04-16 20:00:19,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0132e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2372
          },
          {
            "timestamp": "2026-04-16 20:00:19,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01331000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2373
          },
          {
            "timestamp": "2026-04-16 20:00:19,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01334000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2374
          },
          {
            "timestamp": "2026-04-16 20:00:19,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01336000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2375
          },
          {
            "timestamp": "2026-04-16 20:00:19,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01339000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2376
          },
          {
            "timestamp": "2026-04-16 20:00:19,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0133c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2377
          },
          {
            "timestamp": "2026-04-16 20:00:19,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0133f000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2378
          },
          {
            "timestamp": "2026-04-16 20:00:19,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07d9f000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2379
          },
          {
            "timestamp": "2026-04-16 20:00:19,064",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2380
          },
          {
            "timestamp": "2026-04-16 20:00:19,080",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2381
          },
          {
            "timestamp": "2026-04-16 20:00:19,080",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081b0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2382
          },
          {
            "timestamp": "2026-04-16 20:00:19,080",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081b0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2383
          },
          {
            "timestamp": "2026-04-16 20:00:19,080",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01342000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2384
          },
          {
            "timestamp": "2026-04-16 20:00:19,080",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07eda000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2385
          },
          {
            "timestamp": "2026-04-16 20:00:19,080",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01335000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 2386
          },
          {
            "timestamp": "2026-04-16 20:00:19,080",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01335000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2387
          },
          {
            "timestamp": "2026-04-16 20:00:19,080",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a1000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2388
          },
          {
            "timestamp": "2026-04-16 20:00:19,080",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081c0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2389
          },
          {
            "timestamp": "2026-04-16 20:00:19,080",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081c0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2390
          },
          {
            "timestamp": "2026-04-16 20:00:19,096",
            "thread_id": "4344",
            "caller": "0x0802c61d",
            "parentcaller": "0x0802c4e4",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05731000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2391
          },
          {
            "timestamp": "2026-04-16 20:00:19,127",
            "thread_id": "4344",
            "caller": "0x0802c61d",
            "parentcaller": "0x0802c4e4",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7f550000"
              },
              {
                "name": "RegionSize",
                "value": "0x00050000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2392
          },
          {
            "timestamp": "2026-04-16 20:00:19,127",
            "thread_id": "4344",
            "caller": "0x0802c61d",
            "parentcaller": "0x0802c4e4",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7f550000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 1,
            "id": 2393
          },
          {
            "timestamp": "2026-04-16 20:00:19,158",
            "thread_id": "4344",
            "caller": "0x0802c61d",
            "parentcaller": "0x0802c4e4",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7f540000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2394
          },
          {
            "timestamp": "2026-04-16 20:00:19,158",
            "thread_id": "4344",
            "caller": "0x0802c61d",
            "parentcaller": "0x0802c4e4",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7f540000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2395
          },
          {
            "timestamp": "2026-04-16 20:00:19,174",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802ca08",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "AdjustWindowRectEx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d3d860"
              }
            ],
            "repeated": 0,
            "id": 2396
          },
          {
            "timestamp": "2026-04-16 20:00:19,189",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2397
          },
          {
            "timestamp": "2026-04-16 20:00:19,189",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081c0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2398
          },
          {
            "timestamp": "2026-04-16 20:00:19,189",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081d0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2399
          },
          {
            "timestamp": "2026-04-16 20:00:19,189",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081e0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2400
          },
          {
            "timestamp": "2026-04-16 20:00:19,189",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081f0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2401
          },
          {
            "timestamp": "2026-04-16 20:00:19,189",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08200000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2402
          },
          {
            "timestamp": "2026-04-16 20:00:19,189",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08210000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2403
          },
          {
            "timestamp": "2026-04-16 20:00:19,189",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08220000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2404
          },
          {
            "timestamp": "2026-04-16 20:00:19,189",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08230000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2405
          },
          {
            "timestamp": "2026-04-16 20:00:19,189",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08240000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2406
          },
          {
            "timestamp": "2026-04-16 20:00:19,189",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08260000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2407
          },
          {
            "timestamp": "2026-04-16 20:00:19,205",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08270000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2408
          },
          {
            "timestamp": "2026-04-16 20:00:19,205",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08280000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2409
          },
          {
            "timestamp": "2026-04-16 20:00:19,205",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08290000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2410
          },
          {
            "timestamp": "2026-04-16 20:00:19,205",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08290000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2411
          },
          {
            "timestamp": "2026-04-16 20:00:19,205",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07edb000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2412
          },
          {
            "timestamp": "2026-04-16 20:00:19,205",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08291000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2413
          },
          {
            "timestamp": "2026-04-16 20:00:19,205",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07edc000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2414
          },
          {
            "timestamp": "2026-04-16 20:00:19,221",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08280000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2415
          },
          {
            "timestamp": "2026-04-16 20:00:19,221",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08270000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2416
          },
          {
            "timestamp": "2026-04-16 20:00:19,221",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08260000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2417
          },
          {
            "timestamp": "2026-04-16 20:00:19,221",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08240000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2418
          },
          {
            "timestamp": "2026-04-16 20:00:19,221",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08230000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2419
          },
          {
            "timestamp": "2026-04-16 20:00:19,221",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08220000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2420
          },
          {
            "timestamp": "2026-04-16 20:00:19,221",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08210000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2421
          },
          {
            "timestamp": "2026-04-16 20:00:19,221",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08200000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2422
          },
          {
            "timestamp": "2026-04-16 20:00:19,221",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081f0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2423
          },
          {
            "timestamp": "2026-04-16 20:00:19,221",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081e0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2424
          },
          {
            "timestamp": "2026-04-16 20:00:19,221",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081d0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2425
          },
          {
            "timestamp": "2026-04-16 20:00:19,221",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081c0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2426
          },
          {
            "timestamp": "2026-04-16 20:00:19,236",
            "thread_id": "4344",
            "caller": "0x08293beb",
            "parentcaller": "0x082932ab",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05c12000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2427
          },
          {
            "timestamp": "2026-04-16 20:00:19,236",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07edd000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2428
          },
          {
            "timestamp": "2026-04-16 20:00:19,252",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0132d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00016000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 2429
          },
          {
            "timestamp": "2026-04-16 20:00:19,252",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetSystemInfo"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad1910"
              }
            ],
            "repeated": 0,
            "id": 2430
          },
          {
            "timestamp": "2026-04-16 20:00:19,252",
            "thread_id": "4344",
            "caller": "0x07ec2206",
            "parentcaller": "0x02f62420",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2431
          },
          {
            "timestamp": "2026-04-16 20:00:19,268",
            "thread_id": "4344",
            "caller": "0x08293e48",
            "parentcaller": "0x08293e2c",
            "category": "threading",
            "api": "NtCreateThreadEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x000004a0"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "StartAddress",
                "value": "0x7394890c"
              },
              {
                "name": "Parameter",
                "value": "0x0130dfa8"
              },
              {
                "name": "CreateFlags",
                "value": "0x00000001"
              },
              {
                "name": "ThreadId",
                "value": "3964"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "Module",
                "value": "mscorwks.dll"
              }
            ],
            "repeated": 0,
            "id": 2432
          },
          {
            "timestamp": "2026-04-16 20:00:19,268",
            "thread_id": "4344",
            "caller": "0x08293e48",
            "parentcaller": "0x08293e2c",
            "category": "threading",
            "api": "CreateThread",
            "status": true,
            "return": "0x000004a0",
            "arguments": [
              {
                "name": "StartRoutine",
                "value": "0x7394890c"
              },
              {
                "name": "ModuleName",
                "value": "mscorwks.dll"
              },
              {
                "name": "Parameter",
                "value": "0x0130dfa8"
              },
              {
                "name": "CreationFlags",
                "value": "0x00000004"
              },
              {
                "name": "ThreadId",
                "value": "3964"
              }
            ],
            "repeated": 0,
            "id": 2433
          },
          {
            "timestamp": "2026-04-16 20:00:19,268",
            "thread_id": "4344",
            "caller": "0x08293e48",
            "parentcaller": "0x08293e2c",
            "category": "threading",
            "api": "NtResumeThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x000004a0"
              },
              {
                "name": "SuspendCount",
                "value": "1"
              },
              {
                "name": "ThreadId",
                "value": "3964"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2434
          },
          {
            "timestamp": "2026-04-16 20:00:19,268",
            "thread_id": "3964",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x00df3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2435
          },
          {
            "timestamp": "2026-04-16 20:00:19,268",
            "thread_id": "3964",
            "caller": "0x77e6f695",
            "parentcaller": "0x77e87aa4",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0132d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00016000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2436
          },
          {
            "timestamp": "2026-04-16 20:00:19,268",
            "thread_id": "3964",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2c18",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 2,
            "id": 2437
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x77ea64d6",
            "parentcaller": "0x77ea63e1",
            "category": "threading",
            "api": "NtTestAlert",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2438
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2439
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x7386aa35",
            "parentcaller": "0x7386aa9a",
            "category": "threading",
            "api": "SetThreadStackGuarantee",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "InputSize",
                "value": "4096"
              },
              {
                "name": "OutputSize",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2440
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x772761f1",
            "parentcaller": "0x7386ab1a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x082a1000"
              },
              {
                "name": "RegionSize",
                "value": "0x000fa000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2441
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x772627d9",
            "parentcaller": "0x737e58bd",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2442
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x772627d9",
            "parentcaller": "0x737e58bd",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000460"
              },
              {
                "name": "Milliseconds",
                "value": "40000"
              }
            ],
            "repeated": 0,
            "id": 2443
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x772765db",
            "parentcaller": "0x73947ec0",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x000004a0"
              },
              {
                "name": "ThreadInformationClass",
                "value": "0",
                "pretty_value": "ThreadBasicInformation"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x03\\x01\\x00\\x00\\x00\\xf0\\xe4\\x00\\x04\\x1e\\x00\\x00|\\x0f\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "3964"
              }
            ],
            "repeated": 0,
            "id": 2444
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08200000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2445
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08200000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2446
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08200000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2447
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08200000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2448
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08200000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2449
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08200000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2450
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08200000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2451
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08200000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2452
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08200000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2453
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\2b26c876\\18ded0b4"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2b26c876\\18ded0b4"
              }
            ],
            "repeated": 0,
            "id": 2454
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "filesystem",
            "api": "UrlCanonicalizeW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Url",
                "value": "C:/Users/cape/AppData/Local/Temp/"
              }
            ],
            "repeated": 0,
            "id": 2455
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "filesystem",
            "api": "UrlCanonicalizeW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Url",
                "value": "C:/Users/cape/AppData/Local/Temp/ServerPlugin.DLL"
              }
            ],
            "repeated": 0,
            "id": 2456
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "filesystem",
            "api": "UrlCanonicalizeW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Url",
                "value": "C:/Users/cape/AppData/Local/Temp/ServerPlugin/ServerPlugin.DLL"
              }
            ],
            "repeated": 0,
            "id": 2457
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "filesystem",
            "api": "UrlCanonicalizeW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Url",
                "value": "C:/Users/cape/AppData/Local/Temp/"
              }
            ],
            "repeated": 0,
            "id": 2458
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "filesystem",
            "api": "UrlCanonicalizeW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Url",
                "value": "C:/Users/cape/AppData/Local/Temp/ServerPlugin.EXE"
              }
            ],
            "repeated": 0,
            "id": 2459
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "filesystem",
            "api": "UrlCanonicalizeW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Url",
                "value": "C:/Users/cape/AppData/Local/Temp/ServerPlugin/ServerPlugin.EXE"
              }
            ],
            "repeated": 0,
            "id": 2460
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01331000"
              },
              {
                "name": "RegionSize",
                "value": "0x00012000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 2461
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01331000"
              },
              {
                "name": "RegionSize",
                "value": "0x00012000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2462
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ServerPlugin.dll"
              }
            ],
            "repeated": 0,
            "id": 2463
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ServerPlugin\\ServerPlugin.dll"
              }
            ],
            "repeated": 0,
            "id": 2464
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ServerPlugin.exe"
              }
            ],
            "repeated": 0,
            "id": 2465
          },
          {
            "timestamp": "2026-04-16 20:00:19,283",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ServerPlugin\\ServerPlugin.exe"
              }
            ],
            "repeated": 0,
            "id": 2466
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08210000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2467
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "1"
              },
              {
                "name": "TokenInformation",
                "value": "\\xdc\\xd49\\x08\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00\\xa5C~s`\\x972\\x01\\xa8H~s\\xe0\\xb0M{\\x00\\x00\\x00\\x00X\\xba,\\x01\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xec\\xd59\\x08\\x00\\x0f\\xd3s"
              }
            ],
            "repeated": 0,
            "id": 2468
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004b8"
              }
            ],
            "repeated": 0,
            "id": 2469
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-3749840076-4109591986-3192690632-1000\\Installer\\Assemblies\\C:|Users|cape|AppData|Local|Temp|NanoCore.exe"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-3749840076-4109591986-3192690632-1000\\Installer\\Assemblies\\C:|Users|cape|AppData|Local|Temp|NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 2470
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cape|AppData|Local|Temp|NanoCore.exe"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cape|AppData|Local|Temp|NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 2471
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cape|AppData|Local|Temp|NanoCore.exe"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cape|AppData|Local|Temp|NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 2472
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-3749840076-4109591986-3192690632-1000\\Installer\\Assemblies\\Global"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-3749840076-4109591986-3192690632-1000\\Installer\\Assemblies\\Global"
              }
            ],
            "repeated": 0,
            "id": 2473
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\Installer\\Assemblies\\Global"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global"
              }
            ],
            "repeated": 0,
            "id": 2474
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Classes\\Installer\\Assemblies\\Global"
              },
              {
                "name": "Handle",
                "value": "0x00000498"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global"
              }
            ],
            "repeated": 0,
            "id": 2475
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegEnumValueW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000498"
              },
              {
                "name": "Index",
                "value": "0"
              },
              {
                "name": "ValueName",
                "value": "policy.1.0.cli_uretypes,publicKeyToken=\"ce2cb7e279207b9e\",version=\"9.0.0.0\",culture=\"neutral\",processorArchitecture=\"MSIL\""
              },
              {
                "name": "Type",
                "value": "7",
                "pretty_value": "REG_MULTI_SZ"
              },
              {
                "name": "DataLength",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global\\policy.1.0.cli_uretypes,publicKeyToken=\"ce2cb7e279207b9e\",version=\"9.0.0.0\",culture=\"neutral\",processorArchitecture=\"MSIL\""
              }
            ],
            "repeated": 0,
            "id": 2476
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegEnumValueW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000498"
              },
              {
                "name": "Index",
                "value": "1"
              },
              {
                "name": "ValueName",
                "value": "cli_cppuhelper,publicKeyToken=\"ce2cb7e279207b9e\",version=\"1.0.23.0\",culture=\"neutral\",processorArchitecture=\"x86\""
              },
              {
                "name": "Type",
                "value": "7",
                "pretty_value": "REG_MULTI_SZ"
              },
              {
                "name": "DataLength",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global\\cli_cppuhelper,publicKeyToken=\"ce2cb7e279207b9e\",version=\"1.0.23.0\",culture=\"neutral\",processorArchitecture=\"x86\""
              }
            ],
            "repeated": 0,
            "id": 2477
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegEnumValueW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000498"
              },
              {
                "name": "Index",
                "value": "2"
              },
              {
                "name": "ValueName",
                "value": "policy.1.0.cli_basetypes,publicKeyToken=\"ce2cb7e279207b9e\",version=\"20.0.0.0\",culture=\"neutral\",processorArchitecture=\"MSIL\""
              },
              {
                "name": "Type",
                "value": "7",
                "pretty_value": "REG_MULTI_SZ"
              },
              {
                "name": "DataLength",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global\\policy.1.0.cli_basetypes,publicKeyToken=\"ce2cb7e279207b9e\",version=\"20.0.0.0\",culture=\"neutral\",processorArchitecture=\"MSIL\""
              }
            ],
            "repeated": 0,
            "id": 2478
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegEnumValueW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000498"
              },
              {
                "name": "Index",
                "value": "3"
              },
              {
                "name": "ValueName",
                "value": "cli_basetypes,publicKeyToken=\"ce2cb7e279207b9e\",version=\"1.0.20.0\",culture=\"neutral\",processorArchitecture=\"MSIL\""
              },
              {
                "name": "Type",
                "value": "7",
                "pretty_value": "REG_MULTI_SZ"
              },
              {
                "name": "DataLength",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global\\cli_basetypes,publicKeyToken=\"ce2cb7e279207b9e\",version=\"1.0.20.0\",culture=\"neutral\",processorArchitecture=\"MSIL\""
              }
            ],
            "repeated": 0,
            "id": 2479
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegEnumValueW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000498"
              },
              {
                "name": "Index",
                "value": "4"
              },
              {
                "name": "ValueName",
                "value": "cli_oootypes,publicKeyToken=\"ce2cb7e279207b9e\",version=\"1.0.9.0\",culture=\"neutral\",processorArchitecture=\"MSIL\""
              },
              {
                "name": "Type",
                "value": "7",
                "pretty_value": "REG_MULTI_SZ"
              },
              {
                "name": "DataLength",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global\\cli_oootypes,publicKeyToken=\"ce2cb7e279207b9e\",version=\"1.0.9.0\",culture=\"neutral\",processorArchitecture=\"MSIL\""
              }
            ],
            "repeated": 0,
            "id": 2480
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegEnumValueW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000498"
              },
              {
                "name": "Index",
                "value": "5"
              },
              {
                "name": "ValueName",
                "value": "policy.1.0.cli_cppuhelper,publicKeyToken=\"ce2cb7e279207b9e\",version=\"23.0.0.0\",culture=\"neutral\",processorArchitecture=\"x86\""
              },
              {
                "name": "Type",
                "value": "7",
                "pretty_value": "REG_MULTI_SZ"
              },
              {
                "name": "DataLength",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global\\policy.1.0.cli_cppuhelper,publicKeyToken=\"ce2cb7e279207b9e\",version=\"23.0.0.0\",culture=\"neutral\",processorArchitecture=\"x86\""
              }
            ],
            "repeated": 0,
            "id": 2481
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegEnumValueW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000498"
              },
              {
                "name": "Index",
                "value": "6"
              },
              {
                "name": "ValueName",
                "value": "policy.1.0.cli_oootypes,publicKeyToken=\"ce2cb7e279207b9e\",version=\"9.0.0.0\",culture=\"neutral\",processorArchitecture=\"MSIL\""
              },
              {
                "name": "Type",
                "value": "7",
                "pretty_value": "REG_MULTI_SZ"
              },
              {
                "name": "DataLength",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global\\policy.1.0.cli_oootypes,publicKeyToken=\"ce2cb7e279207b9e\",version=\"9.0.0.0\",culture=\"neutral\",processorArchitecture=\"MSIL\""
              }
            ],
            "repeated": 0,
            "id": 2482
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegEnumValueW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000498"
              },
              {
                "name": "Index",
                "value": "7"
              },
              {
                "name": "ValueName",
                "value": "cli_uretypes,publicKeyToken=\"ce2cb7e279207b9e\",version=\"1.0.9.0\",culture=\"neutral\",processorArchitecture=\"MSIL\""
              },
              {
                "name": "Type",
                "value": "7",
                "pretty_value": "REG_MULTI_SZ"
              },
              {
                "name": "DataLength",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global\\cli_uretypes,publicKeyToken=\"ce2cb7e279207b9e\",version=\"1.0.9.0\",culture=\"neutral\",processorArchitecture=\"MSIL\""
              }
            ],
            "repeated": 0,
            "id": 2483
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegEnumValueW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000498"
              },
              {
                "name": "Index",
                "value": "8"
              },
              {
                "name": "ValueName",
                "value": "policy.1.0.cli_ure,publicKeyToken=\"ce2cb7e279207b9e\",version=\"23.0.0.0\",culture=\"neutral\",processorArchitecture=\"MSIL\""
              },
              {
                "name": "Type",
                "value": "7",
                "pretty_value": "REG_MULTI_SZ"
              },
              {
                "name": "DataLength",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global\\policy.1.0.cli_ure,publicKeyToken=\"ce2cb7e279207b9e\",version=\"23.0.0.0\",culture=\"neutral\",processorArchitecture=\"MSIL\""
              }
            ],
            "repeated": 0,
            "id": 2484
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegEnumValueW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000498"
              },
              {
                "name": "Index",
                "value": "9"
              },
              {
                "name": "ValueName",
                "value": "cli_ure,publicKeyToken=\"ce2cb7e279207b9e\",version=\"1.0.23.0\",culture=\"neutral\",processorArchitecture=\"MSIL\""
              },
              {
                "name": "Type",
                "value": "7",
                "pretty_value": "REG_MULTI_SZ"
              },
              {
                "name": "DataLength",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global\\cli_ure,publicKeyToken=\"ce2cb7e279207b9e\",version=\"1.0.23.0\",culture=\"neutral\",processorArchitecture=\"MSIL\""
              }
            ],
            "repeated": 0,
            "id": 2485
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegEnumValueW",
            "status": false,
            "return": "0x00000103",
            "pretty_return": "NO_MORE_ITEMS",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000498"
              },
              {
                "name": "Index",
                "value": "10"
              },
              {
                "name": "ValueName",
                "value": ""
              },
              {
                "name": "Type",
                "value": "0",
                "pretty_value": "REG_NONE"
              },
              {
                "name": "DataLength",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global\\"
              }
            ],
            "repeated": 0,
            "id": 2486
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000498"
              }
            ],
            "repeated": 0,
            "id": 2487
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "LoadLibraryShim_RetAddr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2488
          },
          {
            "timestamp": "2026-04-16 20:00:19,361",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "LoadLibraryShim"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e3f970"
              }
            ],
            "repeated": 0,
            "id": 2489
          },
          {
            "timestamp": "2026-04-16 20:00:19,408",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "__notification__",
            "api": "sysenter",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadIdentifier",
                "value": "3964"
              },
              {
                "name": "Module",
                "value": "KERNEL32.dll"
              },
              {
                "name": "Return Address",
                "value": "0x76ad24ac"
              }
            ],
            "repeated": 0,
            "id": 2490
          },
          {
            "timestamp": "2026-04-16 20:00:19,424",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2491
          },
          {
            "timestamp": "2026-04-16 20:00:19,424",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture"
              },
              {
                "name": "DllBase",
                "value": "0x70b00000"
              }
            ],
            "repeated": 0,
            "id": 2492
          },
          {
            "timestamp": "2026-04-16 20:00:19,424",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Culture.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x70b00000"
              }
            ],
            "repeated": 0,
            "id": 2493
          },
          {
            "timestamp": "2026-04-16 20:00:19,424",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x70b00000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 2494
          },
          {
            "timestamp": "2026-04-16 20:00:19,424",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "culture.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x70b00000"
              },
              {
                "name": "FunctionName",
                "value": "ConvertLangIdToCultureName"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70b03332"
              }
            ],
            "repeated": 0,
            "id": 2495
          },
          {
            "timestamp": "2026-04-16 20:00:19,424",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01344000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2496
          },
          {
            "timestamp": "2026-04-16 20:00:19,439",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture"
              },
              {
                "name": "DllBase",
                "value": "0x70b00000"
              }
            ],
            "repeated": 0,
            "id": 2497
          },
          {
            "timestamp": "2026-04-16 20:00:19,439",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70b00000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 2498
          },
          {
            "timestamp": "2026-04-16 20:00:19,439",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08220000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 2499
          },
          {
            "timestamp": "2026-04-16 20:00:19,439",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000049c"
              }
            ],
            "repeated": 0,
            "id": 2500
          },
          {
            "timestamp": "2026-04-16 20:00:19,439",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ru-RU\\mscorrc.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000002"
              }
            ],
            "repeated": 0,
            "id": 2501
          },
          {
            "timestamp": "2026-04-16 20:00:19,455",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01335000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000d000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 2502
          },
          {
            "timestamp": "2026-04-16 20:00:19,455",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01330000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 2503
          },
          {
            "timestamp": "2026-04-16 20:00:19,455",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01330000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2504
          },
          {
            "timestamp": "2026-04-16 20:00:19,455",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01335000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000d000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2505
          },
          {
            "timestamp": "2026-04-16 20:00:19,471",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a4000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2506
          },
          {
            "timestamp": "2026-04-16 20:00:19,486",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ede000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2507
          },
          {
            "timestamp": "2026-04-16 20:00:19,486",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01337000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000b000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 2508
          },
          {
            "timestamp": "2026-04-16 20:00:19,486",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01332000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 2509
          },
          {
            "timestamp": "2026-04-16 20:00:19,486",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01332000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2510
          },
          {
            "timestamp": "2026-04-16 20:00:19,486",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x08220001",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ru\\mscorrc.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000002"
              }
            ],
            "repeated": 0,
            "id": 2511
          },
          {
            "timestamp": "2026-04-16 20:00:19,486",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08280000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2512
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x083a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2513
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01337000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000b000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2514
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2515
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000490"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
              }
            ],
            "repeated": 0,
            "id": 2516
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000490"
              },
              {
                "name": "ValueName",
                "value": "Latest"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest"
              }
            ],
            "repeated": 0,
            "id": 2517
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000490"
              }
            ],
            "repeated": 0,
            "id": 2518
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x083b0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2519
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000490"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\KERNELBASE.dll.mui"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2520
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000498"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000490"
              },
              {
                "name": "FileName",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\KernelBase.dll.mui"
              }
            ],
            "repeated": 0,
            "id": 2521
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000498"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x083d0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x0839caa8"
              },
              {
                "name": "ViewSize",
                "value": "0x0014f000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2522
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000498"
              }
            ],
            "repeated": 0,
            "id": 2523
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x083d0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0014f000"
              }
            ],
            "repeated": 0,
            "id": 2524
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000490"
              }
            ],
            "repeated": 0,
            "id": 2525
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\ru-RU\\KERNELBASE.dll.mui"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2526
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000490"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\sysnative\\ru-RU\\KERNELBASE.dll.mui"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2527
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000498"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000490"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\sysnative\\ru-RU\\KernelBase.dll.mui"
              }
            ],
            "repeated": 0,
            "id": 2528
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000498"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x083d0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x0839caa8"
              },
              {
                "name": "ViewSize",
                "value": "0x0014c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2529
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000498"
              }
            ],
            "repeated": 0,
            "id": 2530
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "3964",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08200000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2531
          },
          {
            "timestamp": "2026-04-16 20:00:19,502",
            "thread_id": "3964",
            "caller": "0x7731327c",
            "parentcaller": "0x77ee4a78",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "63"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2532
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec14d7",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2533
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2534
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 2535
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec1317",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              }
            ],
            "repeated": 1,
            "id": 2536
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec14d7",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2537
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2538
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 2539
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec1317",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              }
            ],
            "repeated": 1,
            "id": 2540
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec14d7",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2541
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2542
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 2543
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec1317",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              }
            ],
            "repeated": 1,
            "id": 2544
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec14d7",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2545
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2546
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 2547
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec1317",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              }
            ],
            "repeated": 1,
            "id": 2548
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec14d7",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2549
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2550
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 2551
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x07ec1317",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              }
            ],
            "repeated": 1,
            "id": 2552
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x73a7df9e",
            "parentcaller": "0x73a82c37",
            "category": "system",
            "api": "IsDebuggerPresent",
            "status": false,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2553
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x77260848",
            "parentcaller": "0x73950b42",
            "category": "process",
            "api": "NtOpenProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000498"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00120453",
                "pretty_value": "PROCESS_TERMINATE|PROCESS_CREATE_THREAD|PROCESS_VM_READ|PROCESS_DUP_HANDLE|PROCESS_QUERY_INFORMATION|SYNCHRONIZE|0x00020000"
              },
              {
                "name": "ProcessIdentifier",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2554
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x7726269a",
            "parentcaller": "0x7384680e",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000498"
              }
            ],
            "repeated": 0,
            "id": 2555
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x77263cc4",
            "parentcaller": "0x73b320a0",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000002"
              },
              {
                "name": "TokenHandle",
                "value": "0x000004bc"
              }
            ],
            "repeated": 0,
            "id": 2556
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x7726074f",
            "parentcaller": "0x7386cc0a",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "advapi32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              }
            ],
            "repeated": 0,
            "id": 2557
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CheckTokenMembership"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebf540"
              }
            ],
            "repeated": 0,
            "id": 2558
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x7726074f",
            "parentcaller": "0x7386cc0a",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "advapi32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              }
            ],
            "repeated": 0,
            "id": 2559
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "CheckTokenMembership"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebf540"
              }
            ],
            "repeated": 0,
            "id": 2560
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x7726269a",
            "parentcaller": "0x73b320ea",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              }
            ],
            "repeated": 0,
            "id": 2561
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x7726269a",
            "parentcaller": "0x73b320f5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004b8"
              }
            ],
            "repeated": 0,
            "id": 2562
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
              }
            ],
            "repeated": 0,
            "id": 2563
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
              }
            ],
            "repeated": 0,
            "id": 2564
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting"
              }
            ],
            "repeated": 0,
            "id": 2565
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting"
              }
            ],
            "repeated": 0,
            "id": 2566
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
              }
            ],
            "repeated": 0,
            "id": 2567
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
              }
            ],
            "repeated": 0,
            "id": 2568
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting"
              }
            ],
            "repeated": 0,
            "id": 2569
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting"
              }
            ],
            "repeated": 0,
            "id": 2570
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
              }
            ],
            "repeated": 0,
            "id": 2571
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
              }
            ],
            "repeated": 0,
            "id": 2572
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting"
              }
            ],
            "repeated": 0,
            "id": 2573
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting"
              }
            ],
            "repeated": 0,
            "id": 2574
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
              }
            ],
            "repeated": 0,
            "id": 2575
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
              }
            ],
            "repeated": 0,
            "id": 2576
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting"
              }
            ],
            "repeated": 0,
            "id": 2577
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting"
              }
            ],
            "repeated": 0,
            "id": 2578
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList"
              }
            ],
            "repeated": 0,
            "id": 2579
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList"
              }
            ],
            "repeated": 0,
            "id": 2580
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList"
              }
            ],
            "repeated": 0,
            "id": 2581
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList"
              }
            ],
            "repeated": 0,
            "id": 2582
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList"
              }
            ],
            "repeated": 0,
            "id": 2583
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList"
              }
            ],
            "repeated": 0,
            "id": 2584
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000001",
                "pretty_value": "HKEY_CURRENT_USER"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList"
              }
            ],
            "repeated": 0,
            "id": 2585
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73a3c8c5",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList"
              }
            ],
            "repeated": 0,
            "id": 2586
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x77260e58",
            "parentcaller": "0x77260abe",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0007",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_WRITE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2587
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x7727675b",
            "parentcaller": "0x7727669e",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004b8"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08200000"
              },
              {
                "name": "SectionOffset",
                "value": "0x0839d19c"
              },
              {
                "name": "ViewSize",
                "value": "0x0000a000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2588
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x77261137",
            "parentcaller": "0x7726088e",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004c8"
              },
              {
                "name": "MutexName",
                "value": ""
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2589
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x77260848",
            "parentcaller": "0x73a3f3ce",
            "category": "process",
            "api": "NtOpenProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000004cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00120453",
                "pretty_value": "PROCESS_TERMINATE|PROCESS_CREATE_THREAD|PROCESS_VM_READ|PROCESS_DUP_HANDLE|PROCESS_QUERY_INFORMATION|SYNCHRONIZE|0x00020000"
              },
              {
                "name": "ProcessIdentifier",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2590
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x772605b6",
            "parentcaller": "0x7726162b",
            "category": "filesystem",
            "api": "GetFileVersionInfoSizeW",
            "status": true,
            "return": "0x000004bc",
            "arguments": [
              {
                "name": "PathName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 2591
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x772605b6",
            "parentcaller": "0x772604de",
            "category": "filesystem",
            "api": "GetFileVersionInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "PathName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 2592
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x772605b6",
            "parentcaller": "0x7726162b",
            "category": "filesystem",
            "api": "GetFileVersionInfoSizeW",
            "status": true,
            "return": "0x000004bc",
            "arguments": [
              {
                "name": "PathName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 2593
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x772605b6",
            "parentcaller": "0x772604de",
            "category": "filesystem",
            "api": "GetFileVersionInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "PathName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 2594
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x73878ff3",
            "parentcaller": "0x7387906e",
            "category": "misc",
            "api": "HeapCreate",
            "status": true,
            "return": "0x08530000",
            "arguments": [
              {
                "name": "Options",
                "value": "262144"
              },
              {
                "name": "InitialSize",
                "value": "0x00000000"
              },
              {
                "name": "MaximumSize",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2595
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08531000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2596
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e523f8",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework\\Policy\\AppPatch"
              },
              {
                "name": "Handle",
                "value": "0x000004e0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\AppPatch"
              }
            ],
            "repeated": 0,
            "id": 2597
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x77277bae",
            "parentcaller": "0x73e52c0b",
            "category": "filesystem",
            "api": "NtQueryFullAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319"
              }
            ],
            "repeated": 0,
            "id": 2598
          },
          {
            "timestamp": "2026-04-16 20:00:19,518",
            "thread_id": "3964",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e523f8",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000004e0"
              },
              {
                "name": "SubKey",
                "value": "v4.0.30319.00000"
              },
              {
                "name": "Handle",
                "value": "0x000004e4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\AppPatch\\v4.0.30319.00000"
              }
            ],
            "repeated": 0,
            "id": 2599
          },
          {
            "timestamp": "2026-04-16 20:00:19,533",
            "thread_id": "3964",
            "caller": "0x73e1760b",
            "parentcaller": "0x73e50f0e",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e0"
              }
            ],
            "repeated": 0,
            "id": 2600
          },
          {
            "timestamp": "2026-04-16 20:00:19,533",
            "thread_id": "3964",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e523f8",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000004e4"
              },
              {
                "name": "SubKey",
                "value": "mscorwks.dll"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\AppPatch\\v4.0.30319.00000\\mscorwks.dll"
              }
            ],
            "repeated": 0,
            "id": 2601
          },
          {
            "timestamp": "2026-04-16 20:00:19,533",
            "thread_id": "3964",
            "caller": "0x73e1760b",
            "parentcaller": "0x73e50b0a",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e4"
              }
            ],
            "repeated": 0,
            "id": 2602
          },
          {
            "timestamp": "2026-04-16 20:00:19,533",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08520000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2603
          },
          {
            "timestamp": "2026-04-16 20:00:19,533",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08540000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2604
          },
          {
            "timestamp": "2026-04-16 20:00:19,533",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08294000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2605
          },
          {
            "timestamp": "2026-04-16 20:00:19,533",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08550000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2606
          },
          {
            "timestamp": "2026-04-16 20:00:19,533",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07edf000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2607
          },
          {
            "timestamp": "2026-04-16 20:00:19,533",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08550000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2608
          },
          {
            "timestamp": "2026-04-16 20:00:19,533",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08540000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2609
          },
          {
            "timestamp": "2026-04-16 20:00:19,533",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08520000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2610
          },
          {
            "timestamp": "2026-04-16 20:00:19,533",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x083c0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2611
          },
          {
            "timestamp": "2026-04-16 20:00:19,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x083b0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2612
          },
          {
            "timestamp": "2026-04-16 20:00:19,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x083a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2613
          },
          {
            "timestamp": "2026-04-16 20:00:19,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08280000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2614
          },
          {
            "timestamp": "2026-04-16 20:00:19,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08210000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2615
          },
          {
            "timestamp": "2026-04-16 20:00:19,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08210000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2616
          },
          {
            "timestamp": "2026-04-16 20:00:19,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08280000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2617
          },
          {
            "timestamp": "2026-04-16 20:00:19,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x083a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2618
          },
          {
            "timestamp": "2026-04-16 20:00:19,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x083b0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2619
          },
          {
            "timestamp": "2026-04-16 20:00:19,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x083c0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2620
          },
          {
            "timestamp": "2026-04-16 20:00:19,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08520000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2621
          },
          {
            "timestamp": "2026-04-16 20:00:19,549",
            "thread_id": "3964",
            "caller": "0x772501f4",
            "parentcaller": "0x7724f4fc",
            "category": "process",
            "api": "NtCreateUserProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ThreadHandle",
                "value": "0x000004e4"
              },
              {
                "name": "ProcessDesiredAccess",
                "value": "0x02000000"
              },
              {
                "name": "ThreadDesiredAccess",
                "value": "0x02000000"
              },
              {
                "name": "ProcessFileName",
                "value": ""
              },
              {
                "name": "ThreadName",
                "value": ""
              },
              {
                "name": "ImagePathName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\dw20.exe"
              },
              {
                "name": "CommandLine",
                "value": "dw20.exe -x -s 1208"
              },
              {
                "name": "DllPath",
                "value": ""
              },
              {
                "name": "ProcessId",
                "value": "3832"
              }
            ],
            "repeated": 0,
            "id": 2622
          },
          {
            "timestamp": "2026-04-16 20:00:19,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08540000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2623
          },
          {
            "timestamp": "2026-04-16 20:00:19,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08550000"
              },
              {
                "name": "RegionSize",
                "value": "0x00014000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2624
          },
          {
            "timestamp": "2026-04-16 20:00:19,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08570000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2625
          },
          {
            "timestamp": "2026-04-16 20:00:19,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08580000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2626
          },
          {
            "timestamp": "2026-04-16 20:00:19,549",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08590000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2627
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08297000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2628
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x085a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2629
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x085a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2630
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x085a1000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2631
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08590000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2632
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08580000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2633
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08570000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2634
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08550000"
              },
              {
                "name": "RegionSize",
                "value": "0x00014000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2635
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08540000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2636
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08520000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2637
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x083c0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2638
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x083b0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2639
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x083a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2640
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08280000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2641
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08210000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2642
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08299dcf",
            "category": "system",
            "api": "LdrLoadDll",
            "status": false,
            "return": "0xffffffffc0000135",
            "pretty_return": "DLL_NOT_FOUND",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\bcrypt.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2643
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08299dcf",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\bcrypt.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 2644
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08299dcf",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "bcrypt.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x76160000"
              }
            ],
            "repeated": 0,
            "id": 2645
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08299dcf",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x76160000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "bcrypt.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2646
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08299dcf",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "bcrypt.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76160000"
              },
              {
                "name": "FunctionName",
                "value": "BCryptGetFipsAlgorithmMode"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76169570"
              }
            ],
            "repeated": 0,
            "id": 2647
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x08299dcf",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004f4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy"
              }
            ],
            "repeated": 0,
            "id": 2648
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x08299dcf",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004f4"
              },
              {
                "name": "ValueName",
                "value": "Enabled"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled"
              }
            ],
            "repeated": 0,
            "id": 2649
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x08299dcf",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004f8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa"
              }
            ],
            "repeated": 0,
            "id": 2650
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x08299dcf",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004f8"
              },
              {
                "name": "ValueName",
                "value": "FipsAlgorithmPolicy"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy"
              }
            ],
            "repeated": 0,
            "id": 2651
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x08299dcf",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004f4"
              },
              {
                "name": "ValueName",
                "value": "MDMEnabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled"
              }
            ],
            "repeated": 0,
            "id": 2652
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x08299dcf",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004f4"
              }
            ],
            "repeated": 0,
            "id": 2653
          },
          {
            "timestamp": "2026-04-16 20:00:19,564",
            "thread_id": "4344",
            "caller": "0x07ec0e04",
            "parentcaller": "0x08299dcf",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004f8"
              }
            ],
            "repeated": 0,
            "id": 2654
          },
          {
            "timestamp": "2026-04-16 20:00:19,611",
            "thread_id": "4344",
            "caller": "0x02f623e7",
            "parentcaller": "0x082991c6",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05c22000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2655
          },
          {
            "timestamp": "2026-04-16 20:00:19,611",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x085a2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2656
          },
          {
            "timestamp": "2026-04-16 20:00:19,611",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01334000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 2657
          },
          {
            "timestamp": "2026-04-16 20:00:19,611",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01312000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 2658
          },
          {
            "timestamp": "2026-04-16 20:00:19,611",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01334000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2659
          },
          {
            "timestamp": "2026-04-16 20:00:19,643",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0829a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2660
          },
          {
            "timestamp": "2026-04-16 20:00:19,643",
            "thread_id": "4344",
            "caller": "0x07ec07b8",
            "parentcaller": "0x08299f68",
            "category": "filesystem",
            "api": "NtQueryFullAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 2661
          },
          {
            "timestamp": "2026-04-16 20:00:19,643",
            "thread_id": "4344",
            "caller": "0x07ec08b7",
            "parentcaller": "0x0829a163",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004f8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2662
          },
          {
            "timestamp": "2026-04-16 20:00:19,643",
            "thread_id": "4344",
            "caller": "0x07ec0b96",
            "parentcaller": "0x0829a16f",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004f8"
              },
              {
                "name": "HandleName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "FileInformationClass",
                "value": "5",
                "pretty_value": "FileStandardInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x00\\x10\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x16\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2663
          },
          {
            "timestamp": "2026-04-16 20:00:19,643",
            "thread_id": "4344",
            "caller": "0x0829a17d",
            "parentcaller": "0x0829a111",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x06c1f000"
              },
              {
                "name": "RegionSize",
                "value": "0x00154000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2664
          },
          {
            "timestamp": "2026-04-16 20:00:19,643",
            "thread_id": "4344",
            "caller": "0x07ec0c6f",
            "parentcaller": "0x0829a193",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004f8"
              },
              {
                "name": "HandleName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "Buffer",
                "value": "MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x0e\\x1f\\xba\\x0e\\x00\\xb4\t\\xcd!\\xb8\\x01L\\xcd!This program cannot be run in DOS mode.\r\r\n$\\x00\\x00\\x00\\x00\\x00\\x00\\x00PE\\x00\\x00L\\x01\\x04\\x00\t\\x9d\\x93U\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x00\\x0e\\x01\\x0b\\x01\\x06\\x00\\x00\\xb2\\x15\\x00\\x00N\\x00\\x00\\x00\\x00\\x00\\x00\\xce\\xd0\\x15\\x00\\x00 \\x00\\x00\\x00\\xe0\\x15\\x00\\x00\\x00@\\x00\\x00 \\x00\\x00\\x00\\x02\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "Length",
                "value": "1442816"
              }
            ],
            "repeated": 0,
            "id": 2665
          },
          {
            "timestamp": "2026-04-16 20:00:19,643",
            "thread_id": "4344",
            "caller": "0x02f6a896",
            "parentcaller": "0x0829a1c1",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004f8"
              }
            ],
            "repeated": 0,
            "id": 2666
          },
          {
            "timestamp": "2026-04-16 20:00:19,643",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x08294e9e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetProcessWindowStation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d517d0"
              }
            ],
            "repeated": 0,
            "id": 2667
          },
          {
            "timestamp": "2026-04-16 20:00:19,643",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetUserObjectInformation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2668
          },
          {
            "timestamp": "2026-04-16 20:00:19,643",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetUserObjectInformationA"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d3bd50"
              }
            ],
            "repeated": 0,
            "id": 2669
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "SetConsoleCtrlHandler"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad3960"
              }
            ],
            "repeated": 0,
            "id": 2670
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "SetConsoleCtrlHandlerW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2671
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetModuleHandle"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2672
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetModuleHandleW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad0e50"
              }
            ],
            "repeated": 0,
            "id": 2673
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetClassInfo"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2674
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetClassInfoW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d3df90"
              }
            ],
            "repeated": 0,
            "id": 2675
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "RegisterClass"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2676
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "RegisterClassW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d3f1d0"
              }
            ],
            "repeated": 0,
            "id": 2677
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "CreateWindowEx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2678
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "CreateWindowExW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d3f220"
              }
            ],
            "repeated": 0,
            "id": 2679
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x02f6b54b",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "DefWindowProc"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2680
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x02f6b54b",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "DefWindowProcW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ec7fa0"
              }
            ],
            "repeated": 0,
            "id": 2681
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x02f6b54b",
            "parentcaller": "0x02f62420",
            "category": "process",
            "api": "NtOpenSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004f8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "MSCTF.dll"
              }
            ],
            "repeated": 0,
            "id": 2682
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x02f6b54b",
            "parentcaller": "0x02f62420",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004f8"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76ba0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x000d4000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2683
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x02f6b54b",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004f8"
              }
            ],
            "repeated": 0,
            "id": 2684
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x02f6b54b",
            "parentcaller": "0x02f62420",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "35"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\t\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00ons.\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00onSe\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00te, \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00, Ve\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x000.0.\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00re=n\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00Publ\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00en=b\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00934e"
              }
            ],
            "repeated": 0,
            "id": 2685
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x02f6b54b",
            "parentcaller": "0x02f62420",
            "category": "misc",
            "api": "RtlDosPathNameToNtPathName_U",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DosFileName",
                "value": "C:\\Windows\\System32\\MSCTF.dll"
              }
            ],
            "repeated": 0,
            "id": 2686
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x02f6b54b",
            "parentcaller": "0x02f62420",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004f8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020000",
                "pretty_value": "READ_CONTROL"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\msctf.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2687
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x02f6b54b",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004f8"
              }
            ],
            "repeated": 0,
            "id": 2688
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x02f6b54b",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\System32\\MSCTF"
              },
              {
                "name": "DllBase",
                "value": "0x76ba0000"
              }
            ],
            "repeated": 0,
            "id": 2689
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x02f6b54b",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\msctf"
              },
              {
                "name": "BaseAddress",
                "value": "0x76ba0000"
              },
              {
                "name": "InitRoutine",
                "value": "0x76bee040"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 2690
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x02f6b54b",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004fc"
              }
            ],
            "repeated": 0,
            "id": 2691
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x02f6b54b",
            "parentcaller": "0x02f62420",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000500"
              }
            ],
            "repeated": 0,
            "id": 2692
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x02f62420",
            "parentcaller": "0x08294e9e",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01312000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2693
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08294e9e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SystemParametersInfo"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2694
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08294e9e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SystemParametersInfoW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d44bd0"
              }
            ],
            "repeated": 0,
            "id": 2695
          },
          {
            "timestamp": "2026-04-16 20:00:19,658",
            "thread_id": "4344",
            "caller": "0x07ec2547",
            "parentcaller": "0x08294e9e",
            "category": "misc",
            "api": "SystemParametersInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Action",
                "value": "0x00001024"
              },
              {
                "name": "uiParam",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2696
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x08294e9e",
            "parentcaller": "0x08293e6a",
            "category": "process",
            "api": "NtOpenSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000500"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000004"
              },
              {
                "name": "ObjectAttributes",
                "value": "\\Sessions\\1\\Windows\\ThemeSection"
              }
            ],
            "repeated": 0,
            "id": 2697
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x08294e9e",
            "parentcaller": "0x08293e6a",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000500"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08210000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fe02c"
              },
              {
                "name": "ViewSize",
                "value": "0x00001000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2698
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x08294e9e",
            "parentcaller": "0x08293e6a",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08210000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2699
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x08294e9e",
            "parentcaller": "0x08293e6a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000500"
              }
            ],
            "repeated": 0,
            "id": 2700
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x08294e9e",
            "parentcaller": "0x08293e6a",
            "category": "misc",
            "api": "SystemParametersInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Action",
                "value": "0x00000042"
              },
              {
                "name": "uiParam",
                "value": "0x0000000c"
              }
            ],
            "repeated": 0,
            "id": 2701
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x08294e9e",
            "parentcaller": "0x08293e6a",
            "category": "process",
            "api": "NtOpenSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000500"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000004"
              },
              {
                "name": "ObjectAttributes",
                "value": "\\Sessions\\1\\Windows\\ThemeSection"
              }
            ],
            "repeated": 0,
            "id": 2702
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x08294e9e",
            "parentcaller": "0x08293e6a",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000500"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08210000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fe02c"
              },
              {
                "name": "ViewSize",
                "value": "0x00001000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2703
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x08294e9e",
            "parentcaller": "0x08293e6a",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08210000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2704
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x08294e9e",
            "parentcaller": "0x08293e6a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000500"
              }
            ],
            "repeated": 0,
            "id": 2705
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x08294e9e",
            "parentcaller": "0x08293e6a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "uxtheme.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x745d0000"
              },
              {
                "name": "FunctionName",
                "value": "GetThemeAppProperties"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x745fbf20"
              }
            ],
            "repeated": 0,
            "id": 2706
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x08294e9e",
            "parentcaller": "0x08293e6a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "uxtheme.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x745d0000"
              },
              {
                "name": "FunctionName",
                "value": "GetThemeAppPropertiesW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2707
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08294e9e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "uxtheme.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x745d0000"
              },
              {
                "name": "FunctionName",
                "value": "OpenThemeData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x745fca30"
              }
            ],
            "repeated": 0,
            "id": 2708
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08294e9e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "uxtheme.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x745d0000"
              },
              {
                "name": "FunctionName",
                "value": "OpenThemeDataW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2709
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "misc",
            "api": "SystemParametersInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Action",
                "value": "0x00000042"
              },
              {
                "name": "uiParam",
                "value": "0x0000000c"
              }
            ],
            "repeated": 0,
            "id": 2710
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "process",
            "api": "NtOpenSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000500"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000004"
              },
              {
                "name": "ObjectAttributes",
                "value": "\\Sessions\\1\\Windows\\ThemeSection"
              }
            ],
            "repeated": 0,
            "id": 2711
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000500"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08210000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdb2c"
              },
              {
                "name": "ViewSize",
                "value": "0x00001000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2712
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "process",
            "api": "NtOpenSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004fc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000004"
              },
              {
                "name": "ObjectAttributes",
                "value": "\\Windows\\Theme3753190323"
              }
            ],
            "repeated": 0,
            "id": 2713
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "process",
            "api": "NtOpenSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000504"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000004"
              },
              {
                "name": "ObjectAttributes",
                "value": "\\Sessions\\1\\Windows\\Theme4068553709"
              }
            ],
            "repeated": 0,
            "id": 2714
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08210000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2715
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000500"
              }
            ],
            "repeated": 0,
            "id": 2716
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004fc"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08680000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fe1b4"
              },
              {
                "name": "ViewSize",
                "value": "0x000e2000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2717
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000504"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08210000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fe1b4"
              },
              {
                "name": "ViewSize",
                "value": "0x00004000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2718
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2719
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlRegisterFeatureConfigurationChangeNotification"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e724f0"
              }
            ],
            "repeated": 0,
            "id": 2720
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQueryWnfStateData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb40c0"
              }
            ],
            "repeated": 0,
            "id": 2721
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlSubscribeWnfStateChangeNotification"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e70780"
              }
            ],
            "repeated": 0,
            "id": 2722
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDisownModuleHeapAllocation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eac2a0"
              }
            ],
            "repeated": 0,
            "id": 2723
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlQueryFeatureConfiguration"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea52e0"
              }
            ],
            "repeated": 0,
            "id": 2724
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 2725
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x40000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000500"
              },
              {
                "name": "MutexName",
                "value": "Local\\SM0:7684:168:WilStaging_02"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2726
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000500"
              },
              {
                "name": "Milliseconds",
                "value": "18446744073709551615"
              },
              {
                "name": "Status",
                "value": "Infinite"
              }
            ],
            "repeated": 0,
            "id": 2727
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2728
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              },
              {
                "name": "Milliseconds",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2729
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 2730
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec25f9",
            "parentcaller": "0x08294e9e",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000500"
              }
            ],
            "repeated": 1,
            "id": 2731
          },
          {
            "timestamp": "2026-04-16 20:00:19,689",
            "thread_id": "4344",
            "caller": "0x07ec2547",
            "parentcaller": "0x05730626",
            "category": "misc",
            "api": "SystemParametersInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Action",
                "value": "0x0000006a"
              },
              {
                "name": "uiParam",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2732
          },
          {
            "timestamp": "2026-04-16 20:00:19,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetSystemDefaultLCID"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ac7cb0"
              }
            ],
            "repeated": 0,
            "id": 2733
          },
          {
            "timestamp": "2026-04-16 20:00:19,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetSystemDefaultLCIDW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2734
          },
          {
            "timestamp": "2026-04-16 20:00:19,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetStockObject"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a85e50"
              }
            ],
            "repeated": 0,
            "id": 2735
          },
          {
            "timestamp": "2026-04-16 20:00:19,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetObject"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2736
          },
          {
            "timestamp": "2026-04-16 20:00:19,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetObjectW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86c50"
              }
            ],
            "repeated": 0,
            "id": 2737
          },
          {
            "timestamp": "2026-04-16 20:00:19,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetDC"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d4e9f0"
              }
            ],
            "repeated": 0,
            "id": 2738
          },
          {
            "timestamp": "2026-04-16 20:00:19,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetCurrentProcessId"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad2e90"
              }
            ],
            "repeated": 0,
            "id": 2739
          },
          {
            "timestamp": "2026-04-16 20:00:19,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetCurrentProcessIdW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2740
          },
          {
            "timestamp": "2026-04-16 20:00:19,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "FindAtom"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2741
          },
          {
            "timestamp": "2026-04-16 20:00:19,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "FindAtomW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76acba00"
              }
            ],
            "repeated": 0,
            "id": 2742
          },
          {
            "timestamp": "2026-04-16 20:00:19,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "AddAtom"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2743
          },
          {
            "timestamp": "2026-04-16 20:00:19,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "AddAtomW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76acb8d0"
              }
            ],
            "repeated": 0,
            "id": 2744
          },
          {
            "timestamp": "2026-04-16 20:00:19,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              },
              {
                "name": "FunctionName",
                "value": "LoadLibraryShim"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x741713e0"
              }
            ],
            "repeated": 0,
            "id": 2745
          },
          {
            "timestamp": "2026-04-16 20:00:19,705",
            "thread_id": "4344",
            "caller": "0x07ec28cf",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrLoadDll",
            "status": false,
            "return": "0xffffffffc0000135",
            "pretty_return": "DLL_NOT_FOUND",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Gdiplus.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2746
          },
          {
            "timestamp": "2026-04-16 20:00:19,705",
            "thread_id": "4344",
            "caller": "0x07ec28cf",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Gdiplus.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 2747
          },
          {
            "timestamp": "2026-04-16 20:00:19,908",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\\gdiplus"
              },
              {
                "name": "DllBase",
                "value": "0x709a0000"
              }
            ],
            "repeated": 0,
            "id": 2748
          },
          {
            "timestamp": "2026-04-16 20:00:20,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "gdiplus.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x709a0000"
              }
            ],
            "repeated": 0,
            "id": 2749
          },
          {
            "timestamp": "2026-04-16 20:00:20,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x709a0000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "gdiplus.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2750
          },
          {
            "timestamp": "2026-04-16 20:00:20,064",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdiplusStartup"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a15d90"
              }
            ],
            "repeated": 0,
            "id": 2751
          },
          {
            "timestamp": "2026-04-16 20:00:20,064",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08770000"
              },
              {
                "name": "RegionSize",
                "value": "0x00110000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2752
          },
          {
            "timestamp": "2026-04-16 20:00:20,064",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08770000"
              },
              {
                "name": "RegionSize",
                "value": "0x00100000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 2753
          },
          {
            "timestamp": "2026-04-16 20:00:20,064",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08870000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2754
          },
          {
            "timestamp": "2026-04-16 20:00:20,064",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2755
          },
          {
            "timestamp": "2026-04-16 20:00:20,064",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 1,
            "id": 2756
          },
          {
            "timestamp": "2026-04-16 20:00:20,064",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "user32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              }
            ],
            "repeated": 0,
            "id": 2757
          },
          {
            "timestamp": "2026-04-16 20:00:20,064",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetWindowInfo"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d44e90"
              }
            ],
            "repeated": 0,
            "id": 2758
          },
          {
            "timestamp": "2026-04-16 20:00:20,064",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetAncestor"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d514a0"
              }
            ],
            "repeated": 0,
            "id": 2759
          },
          {
            "timestamp": "2026-04-16 20:00:20,064",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetMonitorInfoA"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d341e0"
              }
            ],
            "repeated": 0,
            "id": 2760
          },
          {
            "timestamp": "2026-04-16 20:00:20,064",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "EnumDisplayMonitors"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d51440"
              }
            ],
            "repeated": 0,
            "id": 2761
          },
          {
            "timestamp": "2026-04-16 20:00:20,064",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "EnumDisplayDevicesA"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d395a0"
              }
            ],
            "repeated": 0,
            "id": 2762
          },
          {
            "timestamp": "2026-04-16 20:00:20,096",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08871000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2763
          },
          {
            "timestamp": "2026-04-16 20:00:20,096",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": true,
            "return": "0x00000400",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "78"
              }
            ],
            "repeated": 0,
            "id": 2764
          },
          {
            "timestamp": "2026-04-16 20:00:20,096",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": true,
            "return": "0x00000300",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "79"
              }
            ],
            "repeated": 0,
            "id": 2765
          },
          {
            "timestamp": "2026-04-16 20:00:20,096",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "gdi32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              }
            ],
            "repeated": 0,
            "id": 2766
          },
          {
            "timestamp": "2026-04-16 20:00:20,096",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "ExtTextOutW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a83a60"
              }
            ],
            "repeated": 0,
            "id": 2767
          },
          {
            "timestamp": "2026-04-16 20:00:20,096",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GdiIsMetaPrintDC"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a8a680"
              }
            ],
            "repeated": 0,
            "id": 2768
          },
          {
            "timestamp": "2026-04-16 20:00:20,111",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\\GdiPlus.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x709a0000"
              }
            ],
            "repeated": 0,
            "id": 2769
          },
          {
            "timestamp": "2026-04-16 20:00:20,111",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "threading",
            "api": "NtCreateThreadEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x00000520"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "StartAddress",
                "value": "0x70a17810"
              },
              {
                "name": "Parameter",
                "value": "0x08871298"
              },
              {
                "name": "CreateFlags",
                "value": "0x00000001"
              },
              {
                "name": "ThreadId",
                "value": "7484"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "Module",
                "value": "gdiplus.dll"
              }
            ],
            "repeated": 0,
            "id": 2770
          },
          {
            "timestamp": "2026-04-16 20:00:20,111",
            "thread_id": "4344",
            "caller": "0x07ec29b4",
            "parentcaller": "0x05730626",
            "category": "threading",
            "api": "CreateThread",
            "status": true,
            "return": "0x00000520",
            "arguments": [
              {
                "name": "StartRoutine",
                "value": "0x70a17810"
              },
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "Parameter",
                "value": "0x08871298"
              },
              {
                "name": "CreationFlags",
                "value": "0x00000000"
              },
              {
                "name": "ThreadId",
                "value": "7484"
              }
            ],
            "repeated": 0,
            "id": 2771
          },
          {
            "timestamp": "2026-04-16 20:00:20,111",
            "thread_id": "7484",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2c18",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 2,
            "id": 2772
          },
          {
            "timestamp": "2026-04-16 20:00:20,111",
            "thread_id": "7484",
            "caller": "0x77ea64d6",
            "parentcaller": "0x77ea63e1",
            "category": "threading",
            "api": "NtTestAlert",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2773
          },
          {
            "timestamp": "2026-04-16 20:00:20,111",
            "thread_id": "7484",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2774
          },
          {
            "timestamp": "2026-04-16 20:00:20,111",
            "thread_id": "7484",
            "caller": "0x77e7939b",
            "parentcaller": "0x77e79802",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\WinSxS\\SystemResources\\gdiplus.dll.mun"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 1,
            "id": 2775
          },
          {
            "timestamp": "2026-04-16 20:00:20,127",
            "thread_id": "7484",
            "caller": "0x77e962aa",
            "parentcaller": "0x7727c59a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000051c"
              }
            ],
            "repeated": 0,
            "id": 2776
          },
          {
            "timestamp": "2026-04-16 20:00:20,127",
            "thread_id": "7484",
            "caller": "0x77e962d1",
            "parentcaller": "0x7727c59a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000514"
              }
            ],
            "repeated": 0,
            "id": 2777
          },
          {
            "timestamp": "2026-04-16 20:00:20,127",
            "thread_id": "7484",
            "caller": "0x77263cc4",
            "parentcaller": "0x70a17bfc",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000008"
              },
              {
                "name": "TokenHandle",
                "value": "0x00000530"
              }
            ],
            "repeated": 0,
            "id": 2778
          },
          {
            "timestamp": "2026-04-16 20:00:20,127",
            "thread_id": "7484",
            "caller": "0x77261446",
            "parentcaller": "0x70a17c16",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "26"
              },
              {
                "name": "TokenInformation",
                "value": "\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2779
          },
          {
            "timestamp": "2026-04-16 20:00:20,127",
            "thread_id": "7484",
            "caller": "0x7726269a",
            "parentcaller": "0x70a17c29",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000530"
              }
            ],
            "repeated": 0,
            "id": 2780
          },
          {
            "timestamp": "2026-04-16 20:00:20,127",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipCreateFontFromLogfontW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a02360"
              }
            ],
            "repeated": 0,
            "id": 2781
          },
          {
            "timestamp": "2026-04-16 20:00:20,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "DWrite.dll"
              }
            ],
            "repeated": 0,
            "id": 2782
          },
          {
            "timestamp": "2026-04-16 20:00:20,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\DWrite.dll"
              }
            ],
            "repeated": 0,
            "id": 2783
          },
          {
            "timestamp": "2026-04-16 20:00:20,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\DWrite.dll"
              }
            ],
            "repeated": 0,
            "id": 2784
          },
          {
            "timestamp": "2026-04-16 20:00:20,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000514"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\DWrite.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2785
          },
          {
            "timestamp": "2026-04-16 20:00:20,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000051c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000514"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\DWrite.dll"
              }
            ],
            "repeated": 0,
            "id": 2786
          },
          {
            "timestamp": "2026-04-16 20:00:20,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000051c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x706f0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x0020c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2787
          },
          {
            "timestamp": "2026-04-16 20:00:20,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000051c"
              }
            ],
            "repeated": 0,
            "id": 2788
          },
          {
            "timestamp": "2026-04-16 20:00:20,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000514"
              }
            ],
            "repeated": 0,
            "id": 2789
          },
          {
            "timestamp": "2026-04-16 20:00:20,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "35"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\n\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0?1\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x009\\x00"
              }
            ],
            "repeated": 0,
            "id": 2790
          },
          {
            "timestamp": "2026-04-16 20:00:20,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "RtlDosPathNameToNtPathName_U",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DosFileName",
                "value": "C:\\Windows\\SYSTEM32\\DWrite.dll"
              }
            ],
            "repeated": 0,
            "id": 2791
          },
          {
            "timestamp": "2026-04-16 20:00:20,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000514"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020000",
                "pretty_value": "READ_CONTROL"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\DWrite.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2792
          },
          {
            "timestamp": "2026-04-16 20:00:20,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000514"
              }
            ],
            "repeated": 0,
            "id": 2793
          },
          {
            "timestamp": "2026-04-16 20:00:20,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\DWrite"
              },
              {
                "name": "DllBase",
                "value": "0x706f0000"
              }
            ],
            "repeated": 0,
            "id": 2794
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2795
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000118"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\DirectWrite"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectWrite"
              }
            ],
            "repeated": 0,
            "id": 2796
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\DWrite"
              },
              {
                "name": "BaseAddress",
                "value": "0x706f0000"
              },
              {
                "name": "InitRoutine",
                "value": "0x707a94a0"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 2797
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08880000"
              },
              {
                "name": "RegionSize",
                "value": "0x00100000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2798
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08880000"
              },
              {
                "name": "RegionSize",
                "value": "0x00012000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2799
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2800
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000051c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000118"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\CurrentControlSet\\Services\\FontCache\\Parameters"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\FontCache\\Parameters"
              }
            ],
            "repeated": 0,
            "id": 2801
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000051c"
              },
              {
                "name": "ValueName",
                "value": "ClientCacheSize"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4194304"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\FontCache\\Parameters\\ClientCacheSize"
              }
            ],
            "repeated": 0,
            "id": 2802
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000051c"
              }
            ],
            "repeated": 0,
            "id": 2803
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "GetSystemTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 2804
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000534"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x083b0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fddc8"
              },
              {
                "name": "ViewSize",
                "value": "0x00010000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2805
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x083c0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2806
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000538"
              },
              {
                "name": "MutexName",
                "value": ""
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2807
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 2808
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000538"
              },
              {
                "name": "Milliseconds",
                "value": "4000"
              }
            ],
            "repeated": 0,
            "id": 2809
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08520000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2810
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000538"
              }
            ],
            "repeated": 0,
            "id": 2811
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000534"
              }
            ],
            "repeated": 0,
            "id": 2812
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000534"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x085b0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdddc"
              },
              {
                "name": "ViewSize",
                "value": "0x00064000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2813
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000534"
              }
            ],
            "repeated": 0,
            "id": 2814
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "GetSystemTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2815
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02e04000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2816
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02e06000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2817
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000009",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
              }
            ],
            "repeated": 0,
            "id": 2818
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "ResourcePolicies"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies"
              }
            ],
            "repeated": 0,
            "id": 2819
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 2820
          },
          {
            "timestamp": "2026-04-16 20:00:20,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08580000"
              },
              {
                "name": "RegionSize",
                "value": "0x00008000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2821
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08580000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2822
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02e08000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2823
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02e09000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2824
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02e0a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2825
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000534"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdb5c"
              },
              {
                "name": "ViewSize",
                "value": "0x01000000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2826
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000534"
              }
            ],
            "repeated": 0,
            "id": 2827
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2828
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000534"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\BAHNSCHRIFT.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2829
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000534"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2830
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2831
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000540"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000534"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              }
            ],
            "repeated": 0,
            "id": 2832
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000540"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2833
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x099e0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00400000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2834
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 2835
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x099e0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00023000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2836
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 2837
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2838
          },
          {
            "timestamp": "2026-04-16 20:00:20,252",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000118"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Avalon.Graphics"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Avalon.Graphics"
              }
            ],
            "repeated": 0,
            "id": 2839
          },
          {
            "timestamp": "2026-04-16 20:00:20,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08892000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2840
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000544"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 2841
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000544"
              },
              {
                "name": "ValueName",
                "value": "en-US"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US"
              }
            ],
            "repeated": 0,
            "id": 2842
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000544"
              }
            ],
            "repeated": 0,
            "id": 2843
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000544"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 2844
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000544"
              },
              {
                "name": "ValueName",
                "value": "en-US"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
              }
            ],
            "repeated": 0,
            "id": 2845
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000544"
              }
            ],
            "repeated": 0,
            "id": 2846
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08892000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 2847
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02e0d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 2848
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02e0d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2849
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2850
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000540"
              }
            ],
            "repeated": 0,
            "id": 2851
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000534"
              }
            ],
            "repeated": 0,
            "id": 2852
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2853
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000534"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\BAHNSCHRIFT.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2854
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000534"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2855
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2856
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000540"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000534"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              }
            ],
            "repeated": 0,
            "id": 2857
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000540"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2858
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 2859
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08892000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2860
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2861
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a03000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2862
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2863
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000540"
              }
            ],
            "repeated": 0,
            "id": 2864
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000534"
              }
            ],
            "repeated": 0,
            "id": 2865
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2866
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000534"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\BAHNSCHRIFT.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2867
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000534"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2868
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2869
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000540"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000534"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              }
            ],
            "repeated": 0,
            "id": 2870
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000540"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2871
          },
          {
            "timestamp": "2026-04-16 20:00:20,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 2872
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2873
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a04000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2874
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2875
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000540"
              }
            ],
            "repeated": 0,
            "id": 2876
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000534"
              }
            ],
            "repeated": 0,
            "id": 2877
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2878
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\BAHNSCHRIFT.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2879
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2880
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2881
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000534"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              }
            ],
            "repeated": 0,
            "id": 2882
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000534"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2883
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 2884
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2885
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a05000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2886
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2887
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000534"
              }
            ],
            "repeated": 0,
            "id": 2888
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 2889
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2890
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\BAHNSCHRIFT.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2891
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2892
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2893
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000534"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              }
            ],
            "repeated": 0,
            "id": 2894
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000534"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2895
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 2896
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2897
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a06000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2898
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2899
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000534"
              }
            ],
            "repeated": 0,
            "id": 2900
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 2901
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2902
          },
          {
            "timestamp": "2026-04-16 20:00:20,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\BAHNSCHRIFT.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2903
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2904
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2905
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000544"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              }
            ],
            "repeated": 0,
            "id": 2906
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000544"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2907
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 2908
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2909
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a07000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2910
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2911
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000544"
              }
            ],
            "repeated": 0,
            "id": 2912
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 2913
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2914
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\BAHNSCHRIFT.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2915
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2916
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2917
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000544"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              }
            ],
            "repeated": 0,
            "id": 2918
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000544"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2919
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 2920
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2921
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000544"
              }
            ],
            "repeated": 0,
            "id": 2922
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 2923
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08872000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2924
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2925
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\BAHNSCHRIFT.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2926
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2927
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2928
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000544"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              }
            ],
            "repeated": 0,
            "id": 2929
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000544"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2930
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 2931
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2932
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a08000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2933
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2934
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000544"
              }
            ],
            "repeated": 0,
            "id": 2935
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 2936
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2937
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\BAHNSCHRIFT.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2938
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2939
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2940
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000544"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              }
            ],
            "repeated": 0,
            "id": 2941
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000544"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2942
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 2943
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2944
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a09000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2945
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2946
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000544"
              }
            ],
            "repeated": 0,
            "id": 2947
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 2948
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2949
          },
          {
            "timestamp": "2026-04-16 20:00:20,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\BAHNSCHRIFT.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2950
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2951
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2952
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000548"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              }
            ],
            "repeated": 0,
            "id": 2953
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000548"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2954
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 2955
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2956
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a0a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2957
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2958
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000548"
              }
            ],
            "repeated": 0,
            "id": 2959
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 2960
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2961
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\BAHNSCHRIFT.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2962
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2963
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2964
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000548"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              }
            ],
            "repeated": 0,
            "id": 2965
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000548"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2966
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 2967
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ac000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2968
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2969
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a0b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2970
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2971
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000548"
              }
            ],
            "repeated": 0,
            "id": 2972
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 2973
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2974
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\BAHNSCHRIFT.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2975
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2976
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2977
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000548"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              }
            ],
            "repeated": 0,
            "id": 2978
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000548"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2979
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 2980
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2981
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a0c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2982
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2983
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000548"
              }
            ],
            "repeated": 0,
            "id": 2984
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 2985
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2986
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\BAHNSCHRIFT.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2987
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2988
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2989
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000548"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              }
            ],
            "repeated": 0,
            "id": 2990
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000548"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2991
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 2992
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2993
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000548"
              }
            ],
            "repeated": 0,
            "id": 2994
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 2995
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2996
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\BAHNSCHRIFT.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2997
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2998
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2999
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000548"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              }
            ],
            "repeated": 0,
            "id": 3000
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000548"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3001
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3002
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3003
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a0d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3004
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3005
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000548"
              }
            ],
            "repeated": 0,
            "id": 3006
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3007
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08873000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3008
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08875000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3009
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000009",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
              }
            ],
            "repeated": 0,
            "id": 3010
          },
          {
            "timestamp": "2026-04-16 20:00:20,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "ResourcePolicies"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies"
              }
            ],
            "repeated": 0,
            "id": 3011
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3012
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08590000"
              },
              {
                "name": "RegionSize",
                "value": "0x00008000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3013
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08590000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3014
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3015
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\BAHNSCHRIFT.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3016
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3017
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3018
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\bahnschrift.ttf"
              }
            ],
            "repeated": 0,
            "id": 3019
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3020
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3021
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3022
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a0e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3023
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3024
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 3025
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3026
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3027
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\calibri.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3028
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\calibri.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3029
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3030
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\calibri.ttf"
              }
            ],
            "repeated": 0,
            "id": 3031
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00193000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3032
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3033
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3034
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a0f000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3035
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08892000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3036
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00193000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3037
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 3038
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3039
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3040
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\calibril.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3041
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\calibril.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3042
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3043
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\calibril.ttf"
              }
            ],
            "repeated": 0,
            "id": 3044
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00160000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3045
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3046
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08892000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3047
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3048
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a11000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3049
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08892000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3050
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00160000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3051
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 3052
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3053
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3054
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\calibrii.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3055
          },
          {
            "timestamp": "2026-04-16 20:00:20,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\calibrii.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3056
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3057
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\calibrii.ttf"
              }
            ],
            "repeated": 0,
            "id": 3058
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00125000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3059
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3060
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08892000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3061
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3062
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a13000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3063
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08892000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3064
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00125000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3065
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 3066
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3067
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3068
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\CALIBRILI.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3069
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\calibrili.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3070
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3071
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\calibrili.ttf"
              }
            ],
            "repeated": 0,
            "id": 3072
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00104000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3073
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3074
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08892000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3075
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3076
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a14000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3077
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08892000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3078
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00104000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3079
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 3080
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3081
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08877000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3082
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3083
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\calibrib.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3084
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\calibrib.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3085
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3086
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\calibrib.ttf"
              }
            ],
            "repeated": 0,
            "id": 3087
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0018a000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3088
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3089
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08892000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3090
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3091
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a16000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3092
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08892000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3093
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0018a000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3094
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 3095
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3096
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3097
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\calibriz.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3098
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\calibriz.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3099
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3100
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\calibriz.ttf"
              }
            ],
            "repeated": 0,
            "id": 3101
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0011b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3102
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3103
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08892000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3104
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3105
          },
          {
            "timestamp": "2026-04-16 20:00:20,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a18000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3106
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08892000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3107
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08892000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3108
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0011b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3109
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 3110
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3111
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3112
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\cambria.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3113
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\cambria.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3114
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3115
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\cambria.ttc"
              }
            ],
            "repeated": 0,
            "id": 3116
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x001b6000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3117
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3118
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3119
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a1a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3120
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08893000"
              },
              {
                "name": "RegionSize",
                "value": "0x00018000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3121
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08893000"
              },
              {
                "name": "RegionSize",
                "value": "0x00018000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3122
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x001b6000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3123
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 3124
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3125
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3126
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\cambriai.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3127
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\cambriai.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3128
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3129
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\cambriai.ttf"
              }
            ],
            "repeated": 0,
            "id": 3130
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000da000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3131
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3132
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3133
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a1b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3134
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08893000"
              },
              {
                "name": "RegionSize",
                "value": "0x00018000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3135
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08893000"
              },
              {
                "name": "RegionSize",
                "value": "0x00018000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3136
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000da000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3137
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 3138
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3139
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3140
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\cambriab.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3141
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\cambriab.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3142
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3143
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\cambriab.ttf"
              }
            ],
            "repeated": 0,
            "id": 3144
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000ce000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3145
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3146
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3147
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a1c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3148
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08893000"
              },
              {
                "name": "RegionSize",
                "value": "0x00018000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3149
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08893000"
              },
              {
                "name": "RegionSize",
                "value": "0x00018000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3150
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000ce000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3151
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 3152
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3153
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3154
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\cambriaz.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3155
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\cambriaz.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3156
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3157
          },
          {
            "timestamp": "2026-04-16 20:00:20,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\cambriaz.ttf"
              }
            ],
            "repeated": 0,
            "id": 3158
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000d2000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3159
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3160
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3161
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a1d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3162
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08895000"
              },
              {
                "name": "RegionSize",
                "value": "0x00016000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3163
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000d2000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3164
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 3165
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3166
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3167
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\cambria.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3168
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\cambria.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3169
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3170
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\cambria.ttc"
              }
            ],
            "repeated": 0,
            "id": 3171
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x001b6000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3172
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3173
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3174
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3175
          },
          {
            "timestamp": "2026-04-16 20:00:20,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a1e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3176
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x001b6000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3177
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 3178
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3179
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3180
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Candara.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3181
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Candara.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3182
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3183
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Candara.ttf"
              }
            ],
            "repeated": 0,
            "id": 3184
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00036000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3185
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3186
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08895000"
              },
              {
                "name": "RegionSize",
                "value": "0x00016000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3187
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3188
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a1f000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3189
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3190
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08895000"
              },
              {
                "name": "RegionSize",
                "value": "0x00016000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3191
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08895000"
              },
              {
                "name": "RegionSize",
                "value": "0x00016000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3192
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00036000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3193
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000558"
              }
            ],
            "repeated": 0,
            "id": 3194
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000554"
              }
            ],
            "repeated": 0,
            "id": 3195
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3196
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Candaral.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3197
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Candaral.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3198
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3199
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Candaral.ttf"
              }
            ],
            "repeated": 0,
            "id": 3200
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0001e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3201
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3202
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3203
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3204
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a20000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3205
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3206
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08895000"
              },
              {
                "name": "RegionSize",
                "value": "0x00016000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3207
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08895000"
              },
              {
                "name": "RegionSize",
                "value": "0x00016000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3208
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3209
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000558"
              }
            ],
            "repeated": 0,
            "id": 3210
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000554"
              }
            ],
            "repeated": 0,
            "id": 3211
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3212
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Candarai.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3213
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Candarai.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3214
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3215
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Candarai.ttf"
              }
            ],
            "repeated": 0,
            "id": 3216
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00038000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3217
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3218
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3219
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3220
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a21000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3221
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00038000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3222
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000558"
              }
            ],
            "repeated": 0,
            "id": 3223
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000554"
              }
            ],
            "repeated": 0,
            "id": 3224
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3225
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\CANDARALI.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3226
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Candarali.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3227
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3228
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Candarali.ttf"
              }
            ],
            "repeated": 0,
            "id": 3229
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0001e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3230
          },
          {
            "timestamp": "2026-04-16 20:00:20,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3231
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3232
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a22000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3233
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3234
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000558"
              }
            ],
            "repeated": 0,
            "id": 3235
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000554"
              }
            ],
            "repeated": 0,
            "id": 3236
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3237
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Candarab.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3238
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Candarab.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3239
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3240
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Candarab.ttf"
              }
            ],
            "repeated": 0,
            "id": 3241
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00038000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3242
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3243
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3244
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a23000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3245
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00038000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3246
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000558"
              }
            ],
            "repeated": 0,
            "id": 3247
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000554"
              }
            ],
            "repeated": 0,
            "id": 3248
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3249
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Candaraz.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3250
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Candaraz.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3251
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3252
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Candaraz.ttf"
              }
            ],
            "repeated": 0,
            "id": 3253
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00038000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3254
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3255
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3256
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08896000"
              },
              {
                "name": "RegionSize",
                "value": "0x00015000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3257
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3258
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a24000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3259
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00038000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3260
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000558"
              }
            ],
            "repeated": 0,
            "id": 3261
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000554"
              }
            ],
            "repeated": 0,
            "id": 3262
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3263
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\comic.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3264
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\comic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3265
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3266
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\comic.ttf"
              }
            ],
            "repeated": 0,
            "id": 3267
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0003c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3268
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3269
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3270
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3271
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "ValueName",
                "value": "ca-ES"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ca-ES"
              }
            ],
            "repeated": 0,
            "id": 3272
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000055c"
              }
            ],
            "repeated": 0,
            "id": 3273
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3274
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "ValueName",
                "value": "ca-ES"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ca-ES"
              }
            ],
            "repeated": 0,
            "id": 3275
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000055c"
              }
            ],
            "repeated": 0,
            "id": 3276
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3277
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "ValueName",
                "value": "cs-CZ"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\cs-CZ"
              }
            ],
            "repeated": 0,
            "id": 3278
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000055c"
              }
            ],
            "repeated": 0,
            "id": 3279
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3280
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "ValueName",
                "value": "cs-CZ"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\cs-CZ"
              }
            ],
            "repeated": 0,
            "id": 3281
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000055c"
              }
            ],
            "repeated": 0,
            "id": 3282
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3283
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "ValueName",
                "value": "da-DK"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\da-DK"
              }
            ],
            "repeated": 0,
            "id": 3284
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000055c"
              }
            ],
            "repeated": 0,
            "id": 3285
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3286
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "ValueName",
                "value": "da-DK"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\da-DK"
              }
            ],
            "repeated": 0,
            "id": 3287
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000055c"
              }
            ],
            "repeated": 0,
            "id": 3288
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3289
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "ValueName",
                "value": "de-DE"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\de-DE"
              }
            ],
            "repeated": 0,
            "id": 3290
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000055c"
              }
            ],
            "repeated": 0,
            "id": 3291
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3292
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "ValueName",
                "value": "de-DE"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\de-DE"
              }
            ],
            "repeated": 0,
            "id": 3293
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000055c"
              }
            ],
            "repeated": 0,
            "id": 3294
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3295
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "ValueName",
                "value": "el-GR"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\el-GR"
              }
            ],
            "repeated": 0,
            "id": 3296
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000055c"
              }
            ],
            "repeated": 0,
            "id": 3297
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3298
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "ValueName",
                "value": "el-GR"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\el-GR"
              }
            ],
            "repeated": 0,
            "id": 3299
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000055c"
              }
            ],
            "repeated": 0,
            "id": 3300
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3301
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000055c"
              },
              {
                "name": "ValueName",
                "value": "es-ES_tradnl"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\es-ES_tradnl"
              }
            ],
            "repeated": 0,
            "id": 3302
          },
          {
            "timestamp": "2026-04-16 20:00:20,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000055c"
              }
            ],
            "repeated": 0,
            "id": 3303
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3304
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "es-ES_tradnl"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\es-ES_tradnl"
              }
            ],
            "repeated": 0,
            "id": 3305
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3306
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3307
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "fi-FI"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\fi-FI"
              }
            ],
            "repeated": 0,
            "id": 3308
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3309
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3310
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "fi-FI"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\fi-FI"
              }
            ],
            "repeated": 0,
            "id": 3311
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3312
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3313
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "fr-FR"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\fr-FR"
              }
            ],
            "repeated": 0,
            "id": 3314
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3315
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3316
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "fr-FR"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\fr-FR"
              }
            ],
            "repeated": 0,
            "id": 3317
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3318
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3319
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "hu-HU"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\hu-HU"
              }
            ],
            "repeated": 0,
            "id": 3320
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3321
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3322
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "hu-HU"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\hu-HU"
              }
            ],
            "repeated": 0,
            "id": 3323
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3324
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3325
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "it-IT"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\it-IT"
              }
            ],
            "repeated": 0,
            "id": 3326
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3327
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3328
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "it-IT"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\it-IT"
              }
            ],
            "repeated": 0,
            "id": 3329
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3330
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3331
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "nl-NL"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\nl-NL"
              }
            ],
            "repeated": 0,
            "id": 3332
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3333
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3334
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "nl-NL"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\nl-NL"
              }
            ],
            "repeated": 0,
            "id": 3335
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3336
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3337
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "nb-NO"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\nb-NO"
              }
            ],
            "repeated": 0,
            "id": 3338
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3339
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3340
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "nb-NO"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\nb-NO"
              }
            ],
            "repeated": 0,
            "id": 3341
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3342
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3343
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "pl-PL"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\pl-PL"
              }
            ],
            "repeated": 0,
            "id": 3344
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3345
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3346
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "pl-PL"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\pl-PL"
              }
            ],
            "repeated": 0,
            "id": 3347
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3348
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3349
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "pt-BR"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\pt-BR"
              }
            ],
            "repeated": 0,
            "id": 3350
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3351
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3352
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "pt-BR"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\pt-BR"
              }
            ],
            "repeated": 0,
            "id": 3353
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3354
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3355
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "sk-SK"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\sk-SK"
              }
            ],
            "repeated": 0,
            "id": 3356
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3357
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3358
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "sk-SK"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\sk-SK"
              }
            ],
            "repeated": 0,
            "id": 3359
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3360
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3361
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "sv-SE"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\sv-SE"
              }
            ],
            "repeated": 0,
            "id": 3362
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3363
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3364
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "sv-SE"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\sv-SE"
              }
            ],
            "repeated": 0,
            "id": 3365
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3366
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3367
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "tr-TR"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\tr-TR"
              }
            ],
            "repeated": 0,
            "id": 3368
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3369
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3370
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "tr-TR"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\tr-TR"
              }
            ],
            "repeated": 0,
            "id": 3371
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3372
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3373
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "sl-SI"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\sl-SI"
              }
            ],
            "repeated": 0,
            "id": 3374
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3375
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3376
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "sl-SI"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\sl-SI"
              }
            ],
            "repeated": 0,
            "id": 3377
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3378
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3379
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "eu-ES"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\eu-ES"
              }
            ],
            "repeated": 0,
            "id": 3380
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3381
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3382
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "eu-ES"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\eu-ES"
              }
            ],
            "repeated": 0,
            "id": 3383
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3384
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3385
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "es-MX"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\es-MX"
              }
            ],
            "repeated": 0,
            "id": 3386
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3387
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3388
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "es-MX"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\es-MX"
              }
            ],
            "repeated": 0,
            "id": 3389
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3390
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3391
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "pt-PT"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\pt-PT"
              }
            ],
            "repeated": 0,
            "id": 3392
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3393
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3394
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "pt-PT"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\pt-PT"
              }
            ],
            "repeated": 0,
            "id": 3395
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3396
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3397
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "es-ES"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\es-ES"
              }
            ],
            "repeated": 0,
            "id": 3398
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3399
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3400
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "es-ES"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\es-ES"
              }
            ],
            "repeated": 0,
            "id": 3401
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3402
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3403
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "fr-CA"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\fr-CA"
              }
            ],
            "repeated": 0,
            "id": 3404
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3405
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3406
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000508"
              },
              {
                "name": "ValueName",
                "value": "fr-CA"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\fr-CA"
              }
            ],
            "repeated": 0,
            "id": 3407
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 3408
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08896000"
              },
              {
                "name": "RegionSize",
                "value": "0x00015000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3409
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3410
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08896000"
              },
              {
                "name": "RegionSize",
                "value": "0x00015000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3411
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08896000"
              },
              {
                "name": "RegionSize",
                "value": "0x00015000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3412
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3413
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a25000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3414
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0003c000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3415
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000558"
              }
            ],
            "repeated": 0,
            "id": 3416
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000554"
              }
            ],
            "repeated": 0,
            "id": 3417
          },
          {
            "timestamp": "2026-04-16 20:00:20,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3418
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000055c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\comici.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3419
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000055c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\comici.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3420
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3421
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000554"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000055c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\comici.ttf"
              }
            ],
            "repeated": 0,
            "id": 3422
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000554"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00038000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3423
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3424
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3425
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3426
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08898000"
              },
              {
                "name": "RegionSize",
                "value": "0x00013000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3427
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08898000"
              },
              {
                "name": "RegionSize",
                "value": "0x00013000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3428
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000558"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3429
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000558"
              },
              {
                "name": "ValueName",
                "value": "vi-VN"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\vi-VN"
              }
            ],
            "repeated": 0,
            "id": 3430
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000558"
              }
            ],
            "repeated": 0,
            "id": 3431
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000558"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3432
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000558"
              },
              {
                "name": "ValueName",
                "value": "vi-VN"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\vi-VN"
              }
            ],
            "repeated": 0,
            "id": 3433
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000558"
              }
            ],
            "repeated": 0,
            "id": 3434
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3435
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a26000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3436
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00038000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3437
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000554"
              }
            ],
            "repeated": 0,
            "id": 3438
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000055c"
              }
            ],
            "repeated": 0,
            "id": 3439
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3440
          },
          {
            "timestamp": "2026-04-16 20:00:20,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000560"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\comicbd.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3441
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000560"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\comicbd.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3442
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3443
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000055c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000560"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\comicbd.ttf"
              }
            ],
            "repeated": 0,
            "id": 3444
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000055c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00039000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3445
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3446
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3447
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3448
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08897000"
              },
              {
                "name": "RegionSize",
                "value": "0x00014000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3449
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08893000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3450
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08893000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3451
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08897000"
              },
              {
                "name": "RegionSize",
                "value": "0x00014000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3452
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3453
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a27000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3454
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3455
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3456
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08898000"
              },
              {
                "name": "RegionSize",
                "value": "0x00013000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3457
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00039000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3458
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000055c"
              }
            ],
            "repeated": 0,
            "id": 3459
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000560"
              }
            ],
            "repeated": 0,
            "id": 3460
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3461
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000560"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\comicz.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3462
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000560"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\comicz.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3463
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3464
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000055c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000560"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\comicz.ttf"
              }
            ],
            "repeated": 0,
            "id": 3465
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000055c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00037000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3466
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3467
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3468
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08898000"
              },
              {
                "name": "RegionSize",
                "value": "0x00013000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3469
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3470
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a28000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3471
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3472
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08898000"
              },
              {
                "name": "RegionSize",
                "value": "0x00013000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3473
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00037000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3474
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000055c"
              }
            ],
            "repeated": 0,
            "id": 3475
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000560"
              }
            ],
            "repeated": 0,
            "id": 3476
          },
          {
            "timestamp": "2026-04-16 20:00:20,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3477
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\consola.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3478
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\consola.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3479
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3480
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\consola.ttf"
              }
            ],
            "repeated": 0,
            "id": 3481
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00071000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3482
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3483
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3484
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00071000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3485
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000560"
              }
            ],
            "repeated": 0,
            "id": 3486
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 3487
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3488
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\consolai.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3489
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\consolai.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3490
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3491
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\consolai.ttf"
              }
            ],
            "repeated": 0,
            "id": 3492
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00073000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3493
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3494
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3495
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a2a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3496
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00073000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3497
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000560"
              }
            ],
            "repeated": 0,
            "id": 3498
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 3499
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3500
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\consolab.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3501
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\consolab.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3502
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3503
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\consolab.ttf"
              }
            ],
            "repeated": 0,
            "id": 3504
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00062000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3505
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3506
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3507
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a2b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3508
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00062000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3509
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000560"
              }
            ],
            "repeated": 0,
            "id": 3510
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 3511
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3512
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\consolaz.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3513
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\consolaz.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3514
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3515
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\consolaz.ttf"
              }
            ],
            "repeated": 0,
            "id": 3516
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00064000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3517
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3518
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3519
          },
          {
            "timestamp": "2026-04-16 20:00:20,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a2c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3520
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00064000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3521
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000560"
              }
            ],
            "repeated": 0,
            "id": 3522
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 3523
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3524
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\constan.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3525
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\constan.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3526
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3527
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\constan.ttf"
              }
            ],
            "repeated": 0,
            "id": 3528
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0006e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3529
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3530
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3531
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a2d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3532
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0006e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3533
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000560"
              }
            ],
            "repeated": 0,
            "id": 3534
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 3535
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3536
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\constani.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3537
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\constani.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3538
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3539
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\constani.ttf"
              }
            ],
            "repeated": 0,
            "id": 3540
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0006e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3541
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3542
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3543
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a2e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3544
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0006e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3545
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000560"
              }
            ],
            "repeated": 0,
            "id": 3546
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 3547
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3548
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\constanb.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3549
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\constanb.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3550
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3551
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\constanb.ttf"
              }
            ],
            "repeated": 0,
            "id": 3552
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0006f000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3553
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3554
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3555
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a2f000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3556
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0006f000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3557
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000560"
              }
            ],
            "repeated": 0,
            "id": 3558
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 3559
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3560
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\constanz.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3561
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\constanz.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3562
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3563
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\constanz.ttf"
              }
            ],
            "repeated": 0,
            "id": 3564
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00070000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3565
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3566
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3567
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a30000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3568
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00070000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3569
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000560"
              }
            ],
            "repeated": 0,
            "id": 3570
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 3571
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3572
          },
          {
            "timestamp": "2026-04-16 20:00:20,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\corbel.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3573
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\corbel.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3574
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3575
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\corbel.ttf"
              }
            ],
            "repeated": 0,
            "id": 3576
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00044000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3577
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3578
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00044000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3579
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000568"
              }
            ],
            "repeated": 0,
            "id": 3580
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 3581
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3582
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\corbell.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3583
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\corbell.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3584
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3585
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\corbell.ttf"
              }
            ],
            "repeated": 0,
            "id": 3586
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0002b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3587
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3588
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3589
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a31000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3590
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0002b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3591
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000568"
              }
            ],
            "repeated": 0,
            "id": 3592
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 3593
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3594
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\corbeli.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3595
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\corbeli.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3596
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3597
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\corbeli.ttf"
              }
            ],
            "repeated": 0,
            "id": 3598
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00046000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3599
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3600
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3601
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a32000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3602
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00046000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3603
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000568"
              }
            ],
            "repeated": 0,
            "id": 3604
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 3605
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3606
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\corbelli.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3607
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\corbelli.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3608
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3609
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\corbelli.ttf"
              }
            ],
            "repeated": 0,
            "id": 3610
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0002a000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3611
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3612
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3613
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a33000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3614
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0002a000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3615
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000568"
              }
            ],
            "repeated": 0,
            "id": 3616
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 3617
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3618
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\corbelb.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3619
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\corbelb.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3620
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3621
          },
          {
            "timestamp": "2026-04-16 20:00:20,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\corbelb.ttf"
              }
            ],
            "repeated": 0,
            "id": 3622
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00048000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3623
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3624
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3625
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a34000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3626
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00048000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3627
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000568"
              }
            ],
            "repeated": 0,
            "id": 3628
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 3629
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3630
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\corbelz.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3631
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\corbelz.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3632
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3633
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\corbelz.ttf"
              }
            ],
            "repeated": 0,
            "id": 3634
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00048000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3635
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3636
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3637
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a35000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3638
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00048000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3639
          },
          {
            "timestamp": "2026-04-16 20:00:20,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000568"
              }
            ],
            "repeated": 0,
            "id": 3640
          },
          {
            "timestamp": "2026-04-16 20:00:20,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 3641
          },
          {
            "timestamp": "2026-04-16 20:00:20,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3642
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\cour.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3643
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\cour.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3644
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3645
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\cour.ttf"
              }
            ],
            "repeated": 0,
            "id": 3646
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000c5000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3647
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3648
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08898000"
              },
              {
                "name": "RegionSize",
                "value": "0x00013000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3649
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3650
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08899000"
              },
              {
                "name": "RegionSize",
                "value": "0x00012000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3651
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3652
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a36000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3653
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08899000"
              },
              {
                "name": "RegionSize",
                "value": "0x00012000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3654
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000c5000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3655
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000568"
              }
            ],
            "repeated": 0,
            "id": 3656
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 3657
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08897000"
              },
              {
                "name": "RegionSize",
                "value": "0x00014000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3658
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02e0c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3659
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08893000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3660
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08897000"
              },
              {
                "name": "RegionSize",
                "value": "0x00014000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3661
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08893000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3662
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3663
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\couri.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3664
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\couri.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3665
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3666
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\couri.ttf"
              }
            ],
            "repeated": 0,
            "id": 3667
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000a3000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3668
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3669
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3670
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02e0c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3671
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3672
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a38000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3673
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3674
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08897000"
              },
              {
                "name": "RegionSize",
                "value": "0x00014000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3675
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000a3000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3676
          },
          {
            "timestamp": "2026-04-16 20:00:20,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000568"
              }
            ],
            "repeated": 0,
            "id": 3677
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 3678
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3679
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\courbd.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3680
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\courbd.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3681
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3682
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\courbd.ttf"
              }
            ],
            "repeated": 0,
            "id": 3683
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000568"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000c5000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3684
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3685
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3686
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08897000"
              },
              {
                "name": "RegionSize",
                "value": "0x00014000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3687
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3688
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a3a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3689
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3690
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08897000"
              },
              {
                "name": "RegionSize",
                "value": "0x00014000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3691
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000c5000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3692
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000568"
              }
            ],
            "repeated": 0,
            "id": 3693
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 3694
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3695
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\courbi.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3696
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\courbi.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3697
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3698
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\courbi.ttf"
              }
            ],
            "repeated": 0,
            "id": 3699
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0008d000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3700
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3701
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3702
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08897000"
              },
              {
                "name": "RegionSize",
                "value": "0x00014000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3703
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3704
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a3c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3705
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3706
          },
          {
            "timestamp": "2026-04-16 20:00:20,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08898000"
              },
              {
                "name": "RegionSize",
                "value": "0x00013000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3707
          },
          {
            "timestamp": "2026-04-16 20:00:20,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0008d000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3708
          },
          {
            "timestamp": "2026-04-16 20:00:20,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000574"
              }
            ],
            "repeated": 0,
            "id": 3709
          },
          {
            "timestamp": "2026-04-16 20:00:20,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3710
          },
          {
            "timestamp": "2026-04-16 20:00:20,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3711
          },
          {
            "timestamp": "2026-04-16 20:00:20,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ebrima.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3712
          },
          {
            "timestamp": "2026-04-16 20:00:20,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\ebrima.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3713
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3714
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ebrima.ttf"
              }
            ],
            "repeated": 0,
            "id": 3715
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000de000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3716
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3717
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3718
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08898000"
              },
              {
                "name": "RegionSize",
                "value": "0x00013000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3719
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3720
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3721
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3722
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a3e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3723
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000de000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3724
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000574"
              }
            ],
            "repeated": 0,
            "id": 3725
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3726
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3727
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ebrimabd.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3728
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\ebrimabd.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3729
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3730
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ebrimabd.ttf"
              }
            ],
            "repeated": 0,
            "id": 3731
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000e0000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3732
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3733
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3734
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3735
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3736
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3737
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3738
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3739
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a3f000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3740
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000e0000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3741
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000574"
              }
            ],
            "repeated": 0,
            "id": 3742
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3743
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08879000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3744
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3745
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\framd.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3746
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\framd.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3747
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3748
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\framd.ttf"
              }
            ],
            "repeated": 0,
            "id": 3749
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00021000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3750
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3751
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3752
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3753
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3754
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3755
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a40000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3756
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3757
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00021000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3758
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000574"
              }
            ],
            "repeated": 0,
            "id": 3759
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3760
          },
          {
            "timestamp": "2026-04-16 20:00:20,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3761
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\framdit.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3762
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\framdit.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3763
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3764
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\framdit.ttf"
              }
            ],
            "repeated": 0,
            "id": 3765
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00025000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3766
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3767
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3768
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3769
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3770
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3771
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a41000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3772
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3773
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3774
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08893000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3775
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00025000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3776
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000574"
              }
            ],
            "repeated": 0,
            "id": 3777
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3778
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3779
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Gabriola.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3780
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Gabriola.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3781
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3782
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Gabriola.ttf"
              }
            ],
            "repeated": 0,
            "id": 3783
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x001b9000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3784
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3785
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3786
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3787
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a43000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3788
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x001b9000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3789
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000574"
              }
            ],
            "repeated": 0,
            "id": 3790
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3791
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3792
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\gadugi.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3793
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\gadugi.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3794
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3795
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\gadugi.ttf"
              }
            ],
            "repeated": 0,
            "id": 3796
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0003d000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3797
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3798
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0003d000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3799
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 3800
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 3801
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3802
          },
          {
            "timestamp": "2026-04-16 20:00:20,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\gadugib.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3803
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\gadugib.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3804
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3805
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\gadugib.ttf"
              }
            ],
            "repeated": 0,
            "id": 3806
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000570"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0003c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3807
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3808
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3809
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a44000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3810
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0003c000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3811
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3812
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 3813
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3814
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\georgia.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3815
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\georgia.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3816
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3817
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\georgia.ttf"
              }
            ],
            "repeated": 0,
            "id": 3818
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000570"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00036000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3819
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3820
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08893000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3821
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3822
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a45000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3823
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00036000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3824
          },
          {
            "timestamp": "2026-04-16 20:00:20,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3825
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 3826
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3827
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\georgiai.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3828
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\georgiai.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3829
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3830
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\georgiai.ttf"
              }
            ],
            "repeated": 0,
            "id": 3831
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00033000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3832
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3833
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3834
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a46000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3835
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00033000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3836
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000574"
              }
            ],
            "repeated": 0,
            "id": 3837
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3838
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3839
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\georgiab.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3840
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\georgiab.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3841
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3842
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\georgiab.ttf"
              }
            ],
            "repeated": 0,
            "id": 3843
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00033000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3844
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3845
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3846
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3847
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3848
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3849
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a47000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3850
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00033000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3851
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000574"
              }
            ],
            "repeated": 0,
            "id": 3852
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3853
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3854
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\georgiaz.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3855
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\georgiaz.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3856
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3857
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\georgiaz.ttf"
              }
            ],
            "repeated": 0,
            "id": 3858
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00034000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3859
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3860
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3861
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a48000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3862
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3863
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3864
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00034000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3865
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000574"
              }
            ],
            "repeated": 0,
            "id": 3866
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3867
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3868
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\impact.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3869
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\impact.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3870
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3871
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3872
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\impact.ttf"
              }
            ],
            "repeated": 0,
            "id": 3873
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00033000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3874
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3875
          },
          {
            "timestamp": "2026-04-16 20:00:20,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3876
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3877
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a49000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3878
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3879
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3880
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00033000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3881
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000574"
              }
            ],
            "repeated": 0,
            "id": 3882
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3883
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3884
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Inkfree.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3885
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Inkfree.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3886
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3887
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Inkfree.ttf"
              }
            ],
            "repeated": 0,
            "id": 3888
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0000e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3889
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3890
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3891
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08581000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3892
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3893
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3894
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a4a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3895
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3896
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889c000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000f000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3897
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3898
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000574"
              }
            ],
            "repeated": 0,
            "id": 3899
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3900
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3901
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\javatext.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3902
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\javatext.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3903
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3904
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\javatext.ttf"
              }
            ],
            "repeated": 0,
            "id": 3905
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0004b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3906
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3907
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3908
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889c000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000f000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3909
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3910
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a4b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3911
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3912
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889c000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000f000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3913
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0004b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3914
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000574"
              }
            ],
            "repeated": 0,
            "id": 3915
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3916
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3917
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LeelawUI.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3918
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LeelawUI.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3919
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3920
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LeelawUI.ttf"
              }
            ],
            "repeated": 0,
            "id": 3921
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00061000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3922
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3923
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3924
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3925
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a4c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3926
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00061000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3927
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000574"
              }
            ],
            "repeated": 0,
            "id": 3928
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3929
          },
          {
            "timestamp": "2026-04-16 20:00:20,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3930
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LeelUIsl.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3931
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LeelUIsl.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3932
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3933
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LeelUIsl.ttf"
              }
            ],
            "repeated": 0,
            "id": 3934
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005f000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3935
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3936
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889c000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000f000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3937
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3938
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a4d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3939
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005f000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3940
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 3941
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 3942
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3943
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LeelaUIb.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3944
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LeelaUIb.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3945
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3946
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LeelaUIb.ttf"
              }
            ],
            "repeated": 0,
            "id": 3947
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00050000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3948
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3949
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3950
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a4e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3951
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00050000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3952
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000574"
              }
            ],
            "repeated": 0,
            "id": 3953
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3954
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3955
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\lucon.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3956
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\lucon.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3957
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3958
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\lucon.ttf"
              }
            ],
            "repeated": 0,
            "id": 3959
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0001c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3960
          },
          {
            "timestamp": "2026-04-16 20:00:20,893",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3961
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3962
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3963
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3964
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a4f000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3965
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001c000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3966
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 3967
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3968
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3969
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\l_10646.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3970
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\l_10646.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3971
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3972
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\l_10646.ttf"
              }
            ],
            "repeated": 0,
            "id": 3973
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0004c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3974
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 3975
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3976
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3977
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3978
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3979
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3980
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 3981
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3982
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a50000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3983
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3984
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0004c000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3985
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 3986
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3987
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 3988
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000570"
              },
              {
                "name": "ValueName",
                "value": "ko-kr"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ko-kr"
              }
            ],
            "repeated": 0,
            "id": 3989
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3990
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 3991
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000570"
              },
              {
                "name": "ValueName",
                "value": "ko-kr"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ko-kr"
              }
            ],
            "repeated": 0,
            "id": 3992
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 3993
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3994
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\malgunsl.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3995
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000057c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\malgunsl.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3996
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3997
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000057c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\malgunsl.ttf"
              }
            ],
            "repeated": 0,
            "id": 3998
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000570"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x004da000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3999
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4000
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4001
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4002
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a51000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4003
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x004da000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4004
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 4005
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4006
          },
          {
            "timestamp": "2026-04-16 20:00:20,908",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4007
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\malgunbd.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4008
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000057c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\malgunbd.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4009
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4010
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000057c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\malgunbd.ttf"
              }
            ],
            "repeated": 0,
            "id": 4011
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000570"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00c04000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4012
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4013
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4014
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a52000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4015
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4016
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4017
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00c04000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4018
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 4019
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4020
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4021
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\himalaya.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4022
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000057c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\himalaya.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4023
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4024
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000057c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\himalaya.ttf"
              }
            ],
            "repeated": 0,
            "id": 4025
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000570"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0008c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4026
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4027
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4028
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4029
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a54000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4030
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0008c000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4031
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 4032
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4033
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 4034
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ValueName",
                "value": "zh-hk"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\zh-hk"
              }
            ],
            "repeated": 0,
            "id": 4035
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4036
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 4037
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ValueName",
                "value": "zh-hk"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\zh-hk"
              }
            ],
            "repeated": 0,
            "id": 4038
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4039
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 4040
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ValueName",
                "value": "zh-tw"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\zh-tw"
              }
            ],
            "repeated": 0,
            "id": 4041
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4042
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 4043
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ValueName",
                "value": "zh-tw"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\zh-tw"
              }
            ],
            "repeated": 0,
            "id": 4044
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4045
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4046
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msjhl.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4047
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000057c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\msjhl.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4048
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4049
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000057c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msjhl.ttc"
              }
            ],
            "repeated": 0,
            "id": 4050
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000570"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x00c48000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4051
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4052
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4053
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4054
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a55000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4055
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00c48000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4056
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 4057
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4058
          },
          {
            "timestamp": "2026-04-16 20:00:20,924",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4059
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msjhbd.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4060
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\msjhbd.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4061
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4062
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msjhbd.ttc"
              }
            ],
            "repeated": 0,
            "id": 4063
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x00dc6000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4064
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4065
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4066
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000b000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4067
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000b000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4068
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4069
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a56000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4070
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000b000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4071
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00dc6000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4072
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 4073
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4074
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4075
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msjh.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4076
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\msjh.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4077
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4078
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msjh.ttc"
              }
            ],
            "repeated": 0,
            "id": 4079
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x0146a000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4080
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4081
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4082
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4083
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a58000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4084
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0146a000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4085
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 4086
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4087
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4088
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msjhl.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4089
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\msjhl.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4090
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4091
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msjhl.ttc"
              }
            ],
            "repeated": 0,
            "id": 4092
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x00c48000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4093
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4094
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4095
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a59000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4096
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00c48000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4097
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 4098
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4099
          },
          {
            "timestamp": "2026-04-16 20:00:20,939",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4100
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msjhbd.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4101
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\msjhbd.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4102
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4103
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msjhbd.ttc"
              }
            ],
            "repeated": 0,
            "id": 4104
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x00dc6000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4105
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4106
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000b000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4107
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4108
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a5a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4109
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00dc6000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4110
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4111
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4112
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4113
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ntailu.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4114
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\ntailu.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4115
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4116
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ntailu.ttf"
              }
            ],
            "repeated": 0,
            "id": 4117
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00013000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4118
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4119
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4120
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a5c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4121
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00013000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4122
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4123
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4124
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4125
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ntailub.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4126
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\ntailub.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4127
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4128
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ntailub.ttf"
              }
            ],
            "repeated": 0,
            "id": 4129
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00011000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4130
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4131
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4132
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4133
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4134
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4135
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\phagspa.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4136
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\phagspa.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4137
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4138
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\phagspa.ttf"
              }
            ],
            "repeated": 0,
            "id": 4139
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00017000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4140
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4141
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4142
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a5d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4143
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00017000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4144
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4145
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4146
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4147
          },
          {
            "timestamp": "2026-04-16 20:00:20,955",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\phagspab.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4148
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\phagspab.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4149
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4150
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\phagspab.ttf"
              }
            ],
            "repeated": 0,
            "id": 4151
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00018000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4152
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4153
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4154
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a5e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4155
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00018000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4156
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4157
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4158
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4159
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\micross.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4160
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\micross.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4161
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4162
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\micross.ttf"
              }
            ],
            "repeated": 0,
            "id": 4163
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000d6000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4164
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4165
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4166
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a5f000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4167
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4168
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a1000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4169
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000d6000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4170
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4171
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4172
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4173
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\taile.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4174
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\taile.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4175
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4176
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\taile.ttf"
              }
            ],
            "repeated": 0,
            "id": 4177
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00011000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4178
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4179
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4180
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4181
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4182
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4183
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4184
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\taileb.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4185
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\taileb.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4186
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4187
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\taileb.ttf"
              }
            ],
            "repeated": 0,
            "id": 4188
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0000f000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4189
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4190
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4191
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a61000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4192
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000f000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4193
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4194
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4195
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 4196
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000580"
              },
              {
                "name": "ValueName",
                "value": "zh-cn"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\zh-cn"
              }
            ],
            "repeated": 0,
            "id": 4197
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4198
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 4199
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000580"
              },
              {
                "name": "ValueName",
                "value": "zh-cn"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\zh-cn"
              }
            ],
            "repeated": 0,
            "id": 4200
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4201
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4202
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msyhl.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4203
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\msyhl.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4204
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4205
          },
          {
            "timestamp": "2026-04-16 20:00:20,971",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msyhl.ttc"
              }
            ],
            "repeated": 0,
            "id": 4206
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x00b94000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4207
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4208
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4209
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a62000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4210
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00b94000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4211
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4212
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4213
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4214
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msyhbd.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4215
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\msyhbd.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4216
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4217
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msyhbd.ttc"
              }
            ],
            "repeated": 0,
            "id": 4218
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x0100d000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4219
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4220
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4221
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a63000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4222
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0100d000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4223
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4224
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4225
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4226
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msyh.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4227
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\msyh.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4228
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4229
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msyh.ttc"
              }
            ],
            "repeated": 0,
            "id": 4230
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x012bd000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4231
          },
          {
            "timestamp": "2026-04-16 20:00:20,986",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4232
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4233
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a65000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4234
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x012bd000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4235
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4236
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4237
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4238
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msyhl.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4239
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\msyhl.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4240
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4241
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msyhl.ttc"
              }
            ],
            "repeated": 0,
            "id": 4242
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x00b94000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4243
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4244
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4245
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a67000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4246
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00b94000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4247
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4248
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4249
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4250
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msyhbd.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4251
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\msyhbd.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4252
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4253
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msyhbd.ttc"
              }
            ],
            "repeated": 0,
            "id": 4254
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x0100d000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4255
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4256
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4257
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a69000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4258
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0100d000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4259
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4260
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4261
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4262
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msyi.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4263
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\msyi.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4264
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4265
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msyi.ttf"
              }
            ],
            "repeated": 0,
            "id": 4266
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0004a000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4267
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4268
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0004a000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4269
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4270
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4271
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4272
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\mingliub.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4273
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\mingliub.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4274
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4275
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\mingliub.ttc"
              }
            ],
            "repeated": 0,
            "id": 4276
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x02316000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4277
          },
          {
            "timestamp": "2026-04-16 20:00:21,002",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4278
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a1000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4279
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4280
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a6b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4281
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x02316000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4282
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4283
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4284
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4285
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\mingliub.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4286
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\mingliub.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4287
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4288
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\mingliub.ttc"
              }
            ],
            "repeated": 0,
            "id": 4289
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x02316000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4290
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4291
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4292
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a6c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4293
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x02316000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4294
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 4295
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4296
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4297
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\mingliub.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4298
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\mingliub.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4299
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4300
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\mingliub.ttc"
              }
            ],
            "repeated": 0,
            "id": 4301
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x02316000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4302
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4303
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4304
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a6d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4305
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x02316000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4306
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 4307
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4308
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4309
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\monbaiti.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4310
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\monbaiti.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4311
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4312
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\monbaiti.ttf"
              }
            ],
            "repeated": 0,
            "id": 4313
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00047000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4314
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4315
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4316
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a6e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4317
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00047000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4318
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 4319
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4320
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 4321
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000580"
              },
              {
                "name": "ValueName",
                "value": "ja-jp"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ja-jp"
              }
            ],
            "repeated": 0,
            "id": 4322
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4323
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 4324
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000580"
              },
              {
                "name": "ValueName",
                "value": "ja-jp"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ja-jp"
              }
            ],
            "repeated": 0,
            "id": 4325
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4326
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4327
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msgothic.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4328
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\msgothic.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4329
          },
          {
            "timestamp": "2026-04-16 20:00:21,018",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4330
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msgothic.ttc"
              }
            ],
            "repeated": 0,
            "id": 4331
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x00893000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4332
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4333
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4334
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a6f000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4335
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4336
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a1000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4337
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00893000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4338
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4339
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4340
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4341
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msgothic.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4342
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\msgothic.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4343
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4344
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\msgothic.ttc"
              }
            ],
            "repeated": 0,
            "id": 4345
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x00893000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4346
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4347
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4348
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a1000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4349
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4350
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a71000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4351
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4352
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a1000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4353
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00893000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4354
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4355
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4356
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4357
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\mvboli.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4358
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\mvboli.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4359
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4360
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\mvboli.ttf"
              }
            ],
            "repeated": 0,
            "id": 4361
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00014000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4362
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4363
          },
          {
            "timestamp": "2026-04-16 20:00:21,033",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4364
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00014000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4365
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4366
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4367
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4368
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\mmrtext.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4369
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\mmrtext.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4370
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4371
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\mmrtext.ttf"
              }
            ],
            "repeated": 0,
            "id": 4372
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00057000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4373
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4374
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4375
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a74000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4376
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x00057000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4377
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4378
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4379
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4380
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\mmrtextb.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4381
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\mmrtextb.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4382
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4383
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\mmrtextb.ttf"
              }
            ],
            "repeated": 0,
            "id": 4384
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00052000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4385
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4386
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4387
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a75000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4388
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x00052000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4389
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4390
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4391
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4392
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Nirmala.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4393
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Nirmala.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4394
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4395
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Nirmala.ttf"
              }
            ],
            "repeated": 0,
            "id": 4396
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00173000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4397
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4398
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a1000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4399
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4400
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a76000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4401
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00173000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4402
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4403
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4404
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4405
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NirmalaS.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4406
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NirmalaS.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4407
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4408
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NirmalaS.ttf"
              }
            ],
            "repeated": 0,
            "id": 4409
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0017c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4410
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4411
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4412
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a77000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4413
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0017c000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4414
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4415
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4416
          },
          {
            "timestamp": "2026-04-16 20:00:21,049",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4417
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NirmalaB.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4418
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000584"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NirmalaB.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4419
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4420
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000584"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NirmalaB.ttf"
              }
            ],
            "repeated": 0,
            "id": 4421
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000580"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00168000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4422
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4423
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4424
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a78000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4425
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00168000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4426
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4427
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 4428
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4429
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\pala.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4430
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\pala.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4431
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4432
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\pala.ttf"
              }
            ],
            "repeated": 0,
            "id": 4433
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00074000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4434
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4435
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4436
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a79000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4437
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00074000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4438
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 4439
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 4440
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4441
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\palai.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4442
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\palai.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4443
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4444
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\palai.ttf"
              }
            ],
            "repeated": 0,
            "id": 4445
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00066000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4446
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4447
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4448
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a7b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4449
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00066000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4450
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 4451
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 4452
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4453
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\palab.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4454
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\palab.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4455
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4456
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\palab.ttf"
              }
            ],
            "repeated": 0,
            "id": 4457
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00067000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4458
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4459
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4460
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a7c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4461
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00067000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4462
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 4463
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 4464
          },
          {
            "timestamp": "2026-04-16 20:00:21,064",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4465
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\palabi.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4466
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\palabi.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4467
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4468
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\palabi.ttf"
              }
            ],
            "repeated": 0,
            "id": 4469
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00052000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4470
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4471
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4472
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a7e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4473
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x00052000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4474
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 4475
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 4476
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4477
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\segoepr.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4478
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\segoepr.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4479
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4480
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\segoepr.ttf"
              }
            ],
            "repeated": 0,
            "id": 4481
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0002a000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4482
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4483
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4484
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a80000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4485
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0002a000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4486
          },
          {
            "timestamp": "2026-04-16 20:00:21,080",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 4487
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 4488
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4489
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\segoeprb.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4490
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\segoeprb.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4491
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4492
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\segoeprb.ttf"
              }
            ],
            "repeated": 0,
            "id": 4493
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00029000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4494
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4495
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00029000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4496
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 4497
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 4498
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4499
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\segoesc.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4500
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\segoesc.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4501
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4502
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\segoesc.ttf"
              }
            ],
            "repeated": 0,
            "id": 4503
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00092000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4504
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4505
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4506
          },
          {
            "timestamp": "2026-04-16 20:00:21,096",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a81000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4507
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00092000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4508
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4509
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4510
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4511
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\segoescb.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4512
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\segoescb.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4513
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4514
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\segoescb.ttf"
              }
            ],
            "repeated": 0,
            "id": 4515
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0008e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4516
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4517
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4518
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a82000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4519
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0008e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4520
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4521
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4522
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4523
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\seguiemj.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4524
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\seguiemj.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4525
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4526
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\seguiemj.ttf"
              }
            ],
            "repeated": 0,
            "id": 4527
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x001fa000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4528
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4529
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4530
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a83000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4531
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x001fa000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4532
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4533
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 4534
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4535
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\seguihis.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4536
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\seguihis.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4537
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4538
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\seguihis.ttf"
              }
            ],
            "repeated": 0,
            "id": 4539
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00156000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4540
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4541
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4542
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a84000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4543
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00156000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4544
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4545
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 4546
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4547
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\seguisym.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4548
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\seguisym.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4549
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4550
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\seguisym.ttf"
              }
            ],
            "repeated": 0,
            "id": 4551
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000580"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00258000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4552
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4553
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4554
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a85000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4555
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00258000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4556
          },
          {
            "timestamp": "2026-04-16 20:00:21,111",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4557
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 4558
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 4559
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000570"
              },
              {
                "name": "ValueName",
                "value": "zh-sg"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\zh-sg"
              }
            ],
            "repeated": 0,
            "id": 4560
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 4561
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 4562
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000570"
              },
              {
                "name": "ValueName",
                "value": "zh-sg"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\zh-sg"
              }
            ],
            "repeated": 0,
            "id": 4563
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 4564
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4565
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\simsun.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4566
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\simsun.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4567
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4568
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\simsun.ttc"
              }
            ],
            "repeated": 0,
            "id": 4569
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x0115f000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4570
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4571
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4572
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a86000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4573
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0115f000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4574
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4575
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 4576
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4577
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\simsunb.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4578
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\simsunb.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4579
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4580
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000570"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\simsunb.ttf"
              }
            ],
            "repeated": 0,
            "id": 4581
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x01047000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4582
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4583
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4584
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4585
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08895000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4586
          },
          {
            "timestamp": "2026-04-16 20:00:21,127",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4587
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a87000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4588
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4589
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x01047000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4590
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4591
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 4592
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4593
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000574"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4594
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000574"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4595
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4596
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000574"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              }
            ],
            "repeated": 0,
            "id": 4597
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000e7000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4598
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4599
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4600
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4601
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4602
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08893000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4603
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08893000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4604
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4605
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a88000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4606
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000e7000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4607
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4608
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000574"
              }
            ],
            "repeated": 0,
            "id": 4609
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4610
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4611
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4612
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4613
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              }
            ],
            "repeated": 0,
            "id": 4614
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000574"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000f2000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4615
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4616
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4617
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4618
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a8a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4619
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000f2000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4620
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000574"
              }
            ],
            "repeated": 0,
            "id": 4621
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4622
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4623
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4624
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4625
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4626
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              }
            ],
            "repeated": 0,
            "id": 4627
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000570"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000e5000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4628
          },
          {
            "timestamp": "2026-04-16 20:00:21,143",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4629
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4630
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a8b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4631
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000e5000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4632
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 4633
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4634
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4635
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4636
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4637
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4638
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000570"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              }
            ],
            "repeated": 0,
            "id": 4639
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000570"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000f0000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4640
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4641
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4642
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a8d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4643
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000f0000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4644
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000570"
              }
            ],
            "repeated": 0,
            "id": 4645
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4646
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4647
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4648
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4649
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4650
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              }
            ],
            "repeated": 0,
            "id": 4651
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000e7000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4652
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4653
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08895000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4654
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4655
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a8e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4656
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000e7000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4657
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4658
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4659
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4660
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4661
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4662
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4663
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000564"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              }
            ],
            "repeated": 0,
            "id": 4664
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000f2000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4665
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4666
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4667
          },
          {
            "timestamp": "2026-04-16 20:00:21,158",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a90000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4668
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000f2000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4669
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4670
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4671
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4672
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4673
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4674
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4675
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              }
            ],
            "repeated": 0,
            "id": 4676
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000e5000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4677
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4678
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4679
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a91000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4680
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000e5000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4681
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4682
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4683
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4684
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4685
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4686
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4687
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              }
            ],
            "repeated": 0,
            "id": 4688
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000f0000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4689
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4690
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4691
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a93000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4692
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000f0000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4693
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4694
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4695
          },
          {
            "timestamp": "2026-04-16 20:00:21,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4696
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4697
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4698
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4699
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              }
            ],
            "repeated": 0,
            "id": 4700
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000e7000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4701
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4702
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4703
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a94000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4704
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000e7000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4705
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4706
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4707
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4708
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4709
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4710
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4711
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              }
            ],
            "repeated": 0,
            "id": 4712
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000f2000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4713
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4714
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4715
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a96000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4716
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000f2000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4717
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4718
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4719
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4720
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4721
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4722
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4723
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              }
            ],
            "repeated": 0,
            "id": 4724
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000e5000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4725
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4726
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4727
          },
          {
            "timestamp": "2026-04-16 20:00:21,189",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a97000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4728
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000e5000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4729
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4730
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4731
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4732
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4733
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4734
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4735
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              }
            ],
            "repeated": 0,
            "id": 4736
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000f0000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4737
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4738
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4739
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a99000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4740
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000f0000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4741
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4742
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4743
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4744
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4745
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4746
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4747
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              }
            ],
            "repeated": 0,
            "id": 4748
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000e7000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4749
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4750
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4751
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a9a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4752
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000e7000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4753
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4754
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4755
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4756
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4757
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4758
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4759
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              }
            ],
            "repeated": 0,
            "id": 4760
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000f2000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4761
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4762
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4763
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a9b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4764
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000f2000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4765
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4766
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4767
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4768
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4769
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4770
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4771
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000580"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              }
            ],
            "repeated": 0,
            "id": 4772
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000e5000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4773
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4774
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4775
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a9d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4776
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000e5000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4777
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4778
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000580"
              }
            ],
            "repeated": 0,
            "id": 4779
          },
          {
            "timestamp": "2026-04-16 20:00:21,205",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4780
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4781
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4782
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4783
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              }
            ],
            "repeated": 0,
            "id": 4784
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000f0000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4785
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4786
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4787
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09a9e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4788
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000f0000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4789
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4790
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4791
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4792
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4793
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4794
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4795
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              }
            ],
            "repeated": 0,
            "id": 4796
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000e7000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4797
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4798
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4799
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aa0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4800
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000e7000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4801
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4802
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4803
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4804
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4805
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4806
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4807
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              }
            ],
            "repeated": 0,
            "id": 4808
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000f2000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4809
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4810
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4811
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aa1000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4812
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000f2000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4813
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4814
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4815
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4816
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4817
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4818
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4819
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              }
            ],
            "repeated": 0,
            "id": 4820
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000e5000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4821
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4822
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4823
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aa3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4824
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000e5000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4825
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4826
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4827
          },
          {
            "timestamp": "2026-04-16 20:00:21,221",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4828
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4829
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4830
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4831
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              }
            ],
            "repeated": 0,
            "id": 4832
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000f0000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4833
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4834
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4835
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aa4000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4836
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000f0000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4837
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4838
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4839
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4840
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4841
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4842
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4843
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Sitka.ttc"
              }
            ],
            "repeated": 0,
            "id": 4844
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000e7000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4845
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4846
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4847
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aa6000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4848
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000e7000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4849
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4850
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4851
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4852
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4853
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4854
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4855
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaI.ttc"
              }
            ],
            "repeated": 0,
            "id": 4856
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000f2000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4857
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4858
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4859
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aa7000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4860
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000f2000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4861
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4862
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4863
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4864
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4865
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4866
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4867
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaB.ttc"
              }
            ],
            "repeated": 0,
            "id": 4868
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000e5000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4869
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4870
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4871
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aa9000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4872
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000e5000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4873
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4874
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4875
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4876
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4877
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4878
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4879
          },
          {
            "timestamp": "2026-04-16 20:00:21,236",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SitkaZ.ttc"
              }
            ],
            "repeated": 0,
            "id": 4880
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x000f0000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4881
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4882
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4883
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aaa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4884
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000f0000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4885
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4886
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4887
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4888
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\sylfaen.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4889
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\sylfaen.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4890
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4891
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\sylfaen.ttf"
              }
            ],
            "repeated": 0,
            "id": 4892
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0003f000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4893
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4894
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4895
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aac000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4896
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0003f000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4897
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4898
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4899
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4900
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\symbol.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4901
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\symbol.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4902
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4903
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\symbol.ttf"
              }
            ],
            "repeated": 0,
            "id": 4904
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00011000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4905
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4906
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4907
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aad000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4908
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4909
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4910
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4911
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4912
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4913
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a1000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4914
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4915
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\tahoma.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4916
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\tahoma.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4917
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4918
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\tahoma.ttf"
              }
            ],
            "repeated": 0,
            "id": 4919
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000e6000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4920
          },
          {
            "timestamp": "2026-04-16 20:00:21,268",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4921
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4922
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a1000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4923
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4924
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4925
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4926
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a1000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4927
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000e6000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4928
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 4929
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 4930
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4931
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "3964",
            "caller": "0x772605b6",
            "parentcaller": "0x76ac7ecc",
            "category": "process",
            "api": "CreateProcessW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ApplicationName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\\\dw20.exe"
              },
              {
                "name": "CommandLine",
                "value": "dw20.exe -x -s 1208"
              },
              {
                "name": "CreationFlags",
                "value": "0x00000000"
              },
              {
                "name": "ProcessId",
                "value": "3832"
              },
              {
                "name": "ThreadId",
                "value": "3296"
              },
              {
                "name": "ProcessHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ThreadHandle",
                "value": "0x000004e4"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4932
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "3964",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4933
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "3964",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004c4"
              },
              {
                "name": "Milliseconds",
                "value": "20000"
              }
            ],
            "repeated": 0,
            "id": 4934
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\tahomabd.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4935
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\tahomabd.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4936
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4937
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004e8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\tahomabd.ttf"
              }
            ],
            "repeated": 0,
            "id": 4938
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004e8"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000d4000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4939
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4940
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4941
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a1000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4942
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4943
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aaf000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4944
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4945
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4946
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000d4000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4947
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e8"
              }
            ],
            "repeated": 0,
            "id": 4948
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 4949
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4950
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\trebuc.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4951
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\trebuc.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4952
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4953
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004e8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\trebuc.ttf"
              }
            ],
            "repeated": 0,
            "id": 4954
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004e8"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0003f000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4955
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4956
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4957
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4958
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ab1000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4959
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0003f000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4960
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e8"
              }
            ],
            "repeated": 0,
            "id": 4961
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 4962
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4963
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\trebucit.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4964
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\trebucit.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4965
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4966
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004e8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\trebucit.ttf"
              }
            ],
            "repeated": 0,
            "id": 4967
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004e8"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0003e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4968
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4969
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4970
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4971
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ab2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4972
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0003e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4973
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e8"
              }
            ],
            "repeated": 0,
            "id": 4974
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 4975
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4976
          },
          {
            "timestamp": "2026-04-16 20:00:21,283",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\trebucbd.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4977
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\trebucbd.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4978
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4979
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\trebucbd.ttf"
              }
            ],
            "repeated": 0,
            "id": 4980
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0003c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4981
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4982
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4983
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ab4000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4984
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0003c000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4985
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4986
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 4987
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4988
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\trebucbi.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4989
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\trebucbi.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 4990
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4991
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\trebucbi.ttf"
              }
            ],
            "repeated": 0,
            "id": 4992
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00038000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4993
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 4994
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4995
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ab5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4996
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00038000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4997
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 4998
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 4999
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5000
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\verdana.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5001
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\verdana.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5002
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5003
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\verdana.ttf"
              }
            ],
            "repeated": 0,
            "id": 5004
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0003c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5005
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5006
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5007
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ab7000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5008
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0003c000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5009
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 5010
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5011
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5012
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\verdanai.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5013
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\verdanai.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5014
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5015
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\verdanai.ttf"
              }
            ],
            "repeated": 0,
            "id": 5016
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00037000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5017
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5018
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5019
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ab8000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5020
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00037000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5021
          },
          {
            "timestamp": "2026-04-16 20:00:21,299",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 5022
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5023
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5024
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\verdanab.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5025
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\verdanab.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5026
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5027
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\verdanab.ttf"
              }
            ],
            "repeated": 0,
            "id": 5028
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00034000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5029
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5030
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5031
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ab9000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5032
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00034000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5033
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 5034
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 5035
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5036
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\verdanaz.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5037
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\verdanaz.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5038
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5039
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\verdanaz.ttf"
              }
            ],
            "repeated": 0,
            "id": 5040
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00039000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5041
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5042
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5043
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aba000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5044
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00039000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5045
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 5046
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 5047
          },
          {
            "timestamp": "2026-04-16 20:00:21,314",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5048
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\webdings.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5049
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\webdings.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5050
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5051
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\webdings.ttf"
              }
            ],
            "repeated": 0,
            "id": 5052
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0001e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5053
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5054
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5055
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09abb000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5056
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5057
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5058
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5059
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5060
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\wingding.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5061
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\wingding.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5062
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5063
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\wingding.ttf"
              }
            ],
            "repeated": 0,
            "id": 5064
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00015000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5065
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5066
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5067
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09abc000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5068
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5069
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00008000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5070
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00015000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5071
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5072
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5073
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5074
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\YuGothM.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5075
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\YuGothM.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5076
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5077
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\YuGothM.ttc"
              }
            ],
            "repeated": 0,
            "id": 5078
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x00d1c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5079
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5080
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5081
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00008000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5082
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5083
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09abe000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5084
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5085
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5086
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5087
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00d1c000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5088
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5089
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5090
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5091
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\YuGothL.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5092
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\YuGothL.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5093
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5094
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\YuGothL.ttc"
              }
            ],
            "repeated": 0,
            "id": 5095
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x00d2b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5096
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5097
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5098
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5099
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5100
          },
          {
            "timestamp": "2026-04-16 20:00:21,330",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5101
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5102
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ac0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5103
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5104
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5105
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00012000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5106
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00d2b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5107
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5108
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5109
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00100000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5110
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5111
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5112
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\YuGothB.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5113
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\YuGothB.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5114
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5115
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\YuGothB.ttc"
              }
            ],
            "repeated": 0,
            "id": 5116
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x00dda000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5117
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5118
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5119
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00012000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5120
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088cf000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5121
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5122
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ac3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5123
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001b000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5124
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5125
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00dda000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5126
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5127
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5128
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5129
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\YuGothM.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5130
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\YuGothM.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5131
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5132
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\YuGothM.ttc"
              }
            ],
            "repeated": 0,
            "id": 5133
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x00d1c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5134
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5135
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001b000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5136
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5137
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00012000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5138
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5139
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ac5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5140
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001b000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5141
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00d1c000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5142
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5143
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5144
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5145
          },
          {
            "timestamp": "2026-04-16 20:00:21,346",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\YuGothR.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5146
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\YuGothR.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5147
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5148
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\YuGothR.ttc"
              }
            ],
            "repeated": 0,
            "id": 5149
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x00d0b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5150
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5151
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001b000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5152
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00012000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5153
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5154
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ac7000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5155
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00d0b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5156
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5157
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5158
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5159
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\YuGothL.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5160
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\YuGothL.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5161
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5162
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\YuGothL.ttc"
              }
            ],
            "repeated": 0,
            "id": 5163
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x00d2b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5164
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5165
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5166
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aca000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5167
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00d2b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5168
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 5169
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 5170
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5171
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\YuGothB.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5172
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\YuGothB.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5173
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5174
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\YuGothB.ttc"
              }
            ],
            "repeated": 0,
            "id": 5175
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x00dda000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5176
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5177
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00008000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5178
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00007000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5179
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088cf000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5180
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088cf000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5181
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001b000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5182
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5183
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09acc000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5184
          },
          {
            "timestamp": "2026-04-16 20:00:21,361",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00008000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5185
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00dda000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5186
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 5187
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 5188
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5189
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\YuGothB.ttc"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5190
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\YuGothB.ttc"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5191
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5192
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\YuGothB.ttc"
              }
            ],
            "repeated": 0,
            "id": 5193
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fd738"
              },
              {
                "name": "ViewSize",
                "value": "0x00dda000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5194
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5195
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001b000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5196
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00007000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5197
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5198
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ace000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5199
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00dda000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5200
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5201
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 5202
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5203
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\holomdl2.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5204
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\holomdl2.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5205
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5206
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000578"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\holomdl2.ttf"
              }
            ],
            "repeated": 0,
            "id": 5207
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0000a000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5208
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5209
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5210
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ad1000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5211
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5212
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 5213
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000578"
              }
            ],
            "repeated": 0,
            "id": 5214
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5215
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ALEF-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5216
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Alef-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5217
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5218
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Alef-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5219
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00017000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5220
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5221
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00017000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5222
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 5223
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5224
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5225
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ALEF-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5226
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Alef-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5227
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5228
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Alef-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5229
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00017000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5230
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5231
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00017000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5232
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000564"
              }
            ],
            "repeated": 0,
            "id": 5233
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5234
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5235
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DAVIDCLM-MEDIUM.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5236
          },
          {
            "timestamp": "2026-04-16 20:00:21,377",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DavidCLM-Medium.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5237
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5238
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DavidCLM-Medium.otf"
              }
            ],
            "repeated": 0,
            "id": 5239
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0000e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5240
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5241
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5242
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ad2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5243
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5244
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5245
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5246
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5247
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DAVIDCLM-MEDIUMITALIC.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5248
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DavidCLM-MediumItalic.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5249
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5250
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DavidCLM-MediumItalic.otf"
              }
            ],
            "repeated": 0,
            "id": 5251
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00013000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5252
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5253
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00013000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5254
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5255
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5256
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5257
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DAVIDCLM-BOLD.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5258
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DavidCLM-Bold.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5259
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5260
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DavidCLM-Bold.otf"
              }
            ],
            "repeated": 0,
            "id": 5261
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0000f000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5262
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5263
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00007000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5264
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5265
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5266
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088cf000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5267
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5268
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5269
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000f000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5270
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5271
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5272
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5273
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DAVIDCLM-BOLDITALIC.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5274
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DavidCLM-BoldItalic.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5275
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5276
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DavidCLM-BoldItalic.otf"
              }
            ],
            "repeated": 0,
            "id": 5277
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00010000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5278
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5279
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088a2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00007000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5280
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5281
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ad3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5282
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5283
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5284
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5285
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5286
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LIBERATIONMONO-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5287
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LiberationMono-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5288
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5289
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LiberationMono-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5290
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0004f000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5291
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5292
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5293
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ad4000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5294
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0004f000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5295
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5296
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5297
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5298
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LIBERATIONMONO-ITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5299
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LiberationMono-Italic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5300
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5301
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LiberationMono-Italic.ttf"
              }
            ],
            "repeated": 0,
            "id": 5302
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00045000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5303
          },
          {
            "timestamp": "2026-04-16 20:00:21,393",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5304
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00045000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5305
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5306
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5307
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5308
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LIBERATIONMONO-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5309
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LiberationMono-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5310
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5311
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LiberationMono-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5312
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0004c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5313
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5314
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5315
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ad5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5316
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0004c000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5317
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5318
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5319
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5320
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LIBERATIONMONO-BOLDITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5321
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LiberationMono-BoldItalic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5322
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5323
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LiberationMono-BoldItalic.ttf"
              }
            ],
            "repeated": 0,
            "id": 5324
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00046000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5325
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5326
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5327
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ad6000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5328
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00046000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5329
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5330
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5331
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5332
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTONASKHARABIC-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5333
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoNaskhArabic-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5334
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5335
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoNaskhArabic-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5336
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00048000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5337
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5338
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5339
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5340
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5341
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00048000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5342
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5343
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5344
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5345
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTONASKHARABIC-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5346
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoNaskhArabic-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5347
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5348
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoNaskhArabic-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5349
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00050000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5350
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5351
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5352
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5353
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5354
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5355
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5356
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ad7000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5357
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00050000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5358
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5359
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5360
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5361
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\CALADEA-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5362
          },
          {
            "timestamp": "2026-04-16 20:00:21,408",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Caladea-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5363
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5364
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Caladea-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5365
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0000f000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5366
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5367
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5368
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000f000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5369
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5370
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5371
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5372
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\CALADEA-ITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5373
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Caladea-Italic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5374
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5375
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Caladea-Italic.ttf"
              }
            ],
            "repeated": 0,
            "id": 5376
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00010000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5377
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5378
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5379
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ad8000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5380
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5381
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5382
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5383
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5384
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\CALADEA-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5385
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Caladea-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5386
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5387
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Caladea-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5388
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0000f000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5389
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5390
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000f000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5391
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5392
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5393
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5394
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\CALADEA-BOLDITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5395
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Caladea-BoldItalic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5396
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5397
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Caladea-BoldItalic.ttf"
              }
            ],
            "repeated": 0,
            "id": 5398
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00010000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5399
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5400
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5401
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ad9000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5402
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5403
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5404
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5405
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5406
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ReemKufi.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5407
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\ReemKufi.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5408
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5409
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ReemKufi.ttf"
              }
            ],
            "repeated": 0,
            "id": 5410
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00020000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5411
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5412
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5413
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ada000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5414
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00020000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5415
          },
          {
            "timestamp": "2026-04-16 20:00:21,424",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5416
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5417
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5418
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ReemKufi.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5419
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\ReemKufi.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5420
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5421
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ReemKufi.ttf"
              }
            ],
            "repeated": 0,
            "id": 5422
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00020000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5423
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5424
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00020000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5425
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5426
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5427
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5428
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ReemKufi.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5429
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\ReemKufi.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5430
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5431
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ReemKufi.ttf"
              }
            ],
            "repeated": 0,
            "id": 5432
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00020000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5433
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5434
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5435
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09adb000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5436
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00020000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5437
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5438
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5439
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5440
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ReemKufi.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5441
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\ReemKufi.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5442
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5443
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004ec"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\ReemKufi.ttf"
              }
            ],
            "repeated": 0,
            "id": 5444
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00020000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5445
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5446
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5447
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09adc000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5448
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00020000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5449
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5450
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5451
          },
          {
            "timestamp": "2026-04-16 20:00:21,439",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5452
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSANS-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5453
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSans-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5454
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5455
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSans-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5456
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000ca000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5457
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5458
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5459
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09add000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5460
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000ca000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5461
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5462
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5463
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5464
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5465
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5466
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5467
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSANS-ITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5468
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSans-Italic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5469
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5470
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSans-Italic.ttf"
              }
            ],
            "repeated": 0,
            "id": 5471
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000cf000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5472
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5473
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5474
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000cf000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5475
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5476
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5477
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5478
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSANS-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5479
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSans-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5480
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5481
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSans-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5482
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000cd000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5483
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5484
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5485
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ade000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5486
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000cd000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5487
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5488
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5489
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5490
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSANS-BOLDITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5491
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSans-BoldItalic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5492
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5493
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSans-BoldItalic.ttf"
              }
            ],
            "repeated": 0,
            "id": 5494
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000d1000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5495
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5496
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088cf000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5497
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000d1000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5498
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5499
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5500
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5501
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSERIFGEORGIAN-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5502
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSerifGeorgian-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5503
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5504
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSerifGeorgian-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5505
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0001a000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5506
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5507
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5508
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09adf000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5509
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001a000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5510
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5511
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5512
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5513
          },
          {
            "timestamp": "2026-04-16 20:00:21,455",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSERIFGEORGIAN-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5514
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSerifGeorgian-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5515
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5516
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSerifGeorgian-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5517
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0001b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5518
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5519
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5520
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ae0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5521
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5522
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5523
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5524
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5525
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\AMIRI-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5526
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Amiri-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5527
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5528
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Amiri-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5529
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0006a000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5530
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5531
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0006a000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5532
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5533
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5534
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5535
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\AMIRI-ITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5536
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Amiri-Italic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5537
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5538
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Amiri-Italic.ttf"
              }
            ],
            "repeated": 0,
            "id": 5539
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00069000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5540
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5541
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5542
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ae1000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5543
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00069000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5544
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5545
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5546
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5547
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\AMIRI-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5548
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Amiri-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5549
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5550
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Amiri-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5551
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00065000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5552
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5553
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5554
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ae2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5555
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00065000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5556
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5557
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5558
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5559
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\AMIRI-BOLDITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5560
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Amiri-BoldItalic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5561
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5562
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Amiri-BoldItalic.ttf"
              }
            ],
            "repeated": 0,
            "id": 5563
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00065000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5564
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5565
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00065000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5566
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5567
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5568
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5569
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LIBERATIONSANS-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5570
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LiberationSans-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5571
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5572
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LiberationSans-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5573
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00065000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5574
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5575
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5576
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ae3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5577
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00065000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5578
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5579
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5580
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5581
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LIBERATIONSANS-ITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5582
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LiberationSans-Italic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5583
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5584
          },
          {
            "timestamp": "2026-04-16 20:00:21,471",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LiberationSans-Italic.ttf"
              }
            ],
            "repeated": 0,
            "id": 5585
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00066000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5586
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5587
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5588
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ae4000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5589
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00066000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5590
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5591
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5592
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5593
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LIBERATIONSANS-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5594
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LiberationSans-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5595
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5596
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LiberationSans-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5597
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00066000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5598
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5599
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00066000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5600
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5601
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5602
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5603
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LIBERATIONSANS-BOLDITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5604
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LiberationSans-BoldItalic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5605
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5606
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LiberationSans-BoldItalic.ttf"
              }
            ],
            "repeated": 0,
            "id": 5607
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00064000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5608
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5609
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5610
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ae5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5611
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00064000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5612
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5613
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5614
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5615
          },
          {
            "timestamp": "2026-04-16 20:00:21,486",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LIBERATIONSANSNARROW-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5616
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LiberationSansNarrow-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5617
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5618
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LiberationSansNarrow-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5619
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0001c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5620
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5621
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5622
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ae6000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5623
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001c000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5624
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5625
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5626
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5627
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LIBERATIONSANSNARROW-ITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5628
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LiberationSansNarrow-Italic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5629
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5630
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LiberationSansNarrow-Italic.ttf"
              }
            ],
            "repeated": 0,
            "id": 5631
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00021000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5632
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5633
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00021000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5634
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5635
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5636
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5637
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LIBERATIONSANSNARROW-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5638
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LiberationSansNarrow-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5639
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5640
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LiberationSansNarrow-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5641
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0001b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5642
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5643
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5644
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ae7000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5645
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5646
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5647
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5648
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5649
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LIBERATIONSANSNARROW-BOLDITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5650
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LiberationSansNarrow-BoldItalic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5651
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5652
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LiberationSansNarrow-BoldItalic.ttf"
              }
            ],
            "repeated": 0,
            "id": 5653
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00020000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5654
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5655
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00020000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5656
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5657
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5658
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5659
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOKUFIARABIC-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5660
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoKufiArabic-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5661
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5662
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoKufiArabic-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5663
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00043000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5664
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5665
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5666
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ae8000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5667
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00043000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5668
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 5669
          },
          {
            "timestamp": "2026-04-16 20:00:21,502",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 5670
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5671
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOKUFIARABIC-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5672
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoKufiArabic-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5673
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5674
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoKufiArabic-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5675
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00049000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5676
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5677
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5678
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ae9000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5679
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00049000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5680
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5681
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5682
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5683
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSANSARMENIAN-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5684
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSansArmenian-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5685
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5686
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSansArmenian-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5687
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00011000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5688
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5689
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5690
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5691
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5692
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5693
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5694
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5695
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5696
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSANSARMENIAN-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5697
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSansArmenian-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5698
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5699
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSansArmenian-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5700
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00011000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5701
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5702
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5703
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5704
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5705
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aea000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5706
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5707
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5708
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5709
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5710
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSANSHEBREW-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5711
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSansHebrew-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5712
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5713
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSansHebrew-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5714
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00011000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5715
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5716
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5717
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 5718
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 5719
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5720
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSANSHEBREW-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5721
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSansHebrew-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5722
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5723
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSansHebrew-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5724
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00011000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5725
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5726
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5727
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aeb000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5728
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5729
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 5730
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 5731
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5732
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUMATHTEXGYRE.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5733
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuMathTeXGyre.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5734
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5735
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuMathTeXGyre.ttf"
              }
            ],
            "repeated": 0,
            "id": 5736
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0008e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5737
          },
          {
            "timestamp": "2026-04-16 20:00:21,518",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5738
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0008e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5739
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 5740
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 5741
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5742
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\opens___.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5743
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\opens___.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5744
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5745
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\opens___.ttf"
              }
            ],
            "repeated": 0,
            "id": 5746
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00033000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5747
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5748
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5749
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aec000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5750
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00033000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5751
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5752
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5753
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de4000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5754
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5755
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DAVIDLIBRE-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5756
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DavidLibre-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5757
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5758
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DavidLibre-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5759
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0001d000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5760
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5761
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001d000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5762
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5763
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5764
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5765
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DAVIDLIBRE-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5766
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DavidLibre-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5767
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5768
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DavidLibre-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5769
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0001e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5770
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5771
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5772
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aed000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5773
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5774
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5775
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5776
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5777
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\GenBasR.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5778
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\GenBasR.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5779
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5780
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\GenBasR.ttf"
              }
            ],
            "repeated": 0,
            "id": 5781
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00041000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5782
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5783
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5784
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5785
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aee000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5786
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5787
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5788
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5789
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00041000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5790
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5791
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5792
          },
          {
            "timestamp": "2026-04-16 20:00:21,533",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5793
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\GenBasI.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5794
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\GenBasI.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5795
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5796
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\GenBasI.ttf"
              }
            ],
            "repeated": 0,
            "id": 5797
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00040000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5798
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5799
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5800
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5801
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5802
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09af1000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5803
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5804
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5805
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00040000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5806
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5807
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5808
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5809
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\GenBasB.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5810
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\GenBasB.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5811
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5812
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\GenBasB.ttf"
              }
            ],
            "repeated": 0,
            "id": 5813
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00042000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5814
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5815
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5816
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5817
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5818
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09af3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5819
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5820
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5821
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00042000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5822
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5823
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5824
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5825
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\GenBasBI.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5826
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\GenBasBI.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5827
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5828
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\GenBasBI.ttf"
              }
            ],
            "repeated": 0,
            "id": 5829
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0003d000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5830
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5831
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5832
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5833
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5834
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09af6000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5835
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5836
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5837
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0003d000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5838
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5839
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5840
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5841
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSERIFLAO-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5842
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSerifLao-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5843
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5844
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSerifLao-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5845
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00016000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5846
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5847
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5848
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00016000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5849
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5850
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5851
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5852
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSERIFLAO-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5853
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSerifLao-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5854
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5855
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSerifLao-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5856
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00017000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5857
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5858
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5859
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09af9000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5860
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00017000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5861
          },
          {
            "timestamp": "2026-04-16 20:00:21,549",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5862
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5863
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5864
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSERIFARMENIAN-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5865
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSerifArmenian-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5866
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5867
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSerifArmenian-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5868
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00013000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5869
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5870
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00013000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5871
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5872
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5873
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5874
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSERIFARMENIAN-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5875
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSerifArmenian-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5876
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5877
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSerifArmenian-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5878
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00013000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5879
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5880
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5881
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09afa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5882
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00013000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5883
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5884
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5885
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5886
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSANSARABIC-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5887
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSansArabic-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5888
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5889
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSansArabic-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5890
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0003e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5891
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5892
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0003e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5893
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5894
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5895
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5896
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSANSARABIC-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5897
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSansArabic-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5898
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5899
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSansArabic-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5900
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00040000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5901
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5902
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5903
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09afb000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5904
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00040000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5905
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5906
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5907
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5908
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSANSGEORGIAN-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5909
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSansGeorgian-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5910
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5911
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSansGeorgian-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5912
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00016000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5913
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5914
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00016000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5915
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5916
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5917
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5918
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSANSGEORGIAN-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5919
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSansGeorgian-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5920
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5921
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000588"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSansGeorgian-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5922
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000584"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00017000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5923
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5924
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5925
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09afc000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5926
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00017000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5927
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000584"
              }
            ],
            "repeated": 0,
            "id": 5928
          },
          {
            "timestamp": "2026-04-16 20:00:21,564",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5929
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5930
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSANSLAO-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5931
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSansLao-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5932
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5933
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSansLao-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5934
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00013000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5935
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5936
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5937
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09afd000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5938
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00013000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5939
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5940
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5941
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5942
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSANSLAO-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5943
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSansLao-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5944
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5945
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSansLao-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5946
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00013000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5947
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5948
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00013000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5949
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5950
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5951
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5952
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSERIFHEBREW-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5953
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSerifHebrew-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5954
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5955
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSerifHebrew-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 5956
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00013000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5957
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5958
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5959
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09afe000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5960
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00013000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5961
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 5962
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5963
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5964
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSERIFHEBREW-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5965
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSerifHebrew-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5966
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5967
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSerifHebrew-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 5968
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00014000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5969
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5970
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00014000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5971
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5972
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5973
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5974
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LINBIOLINUM_R_G.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5975
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LinBiolinum_R_G.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5976
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5977
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LinBiolinum_R_G.ttf"
              }
            ],
            "repeated": 0,
            "id": 5978
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x001da000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5979
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5980
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5981
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5982
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5983
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 5984
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09aff000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5985
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x001da000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 5986
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 5987
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 5988
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5989
          },
          {
            "timestamp": "2026-04-16 20:00:21,580",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LINBIOLINUM_RI_G.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5990
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LinBiolinum_RI_G.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 5991
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 5992
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LinBiolinum_RI_G.ttf"
              }
            ],
            "repeated": 0,
            "id": 5993
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x001e9000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5994
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 5995
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5996
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 5997
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5998
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 5999
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x001e9000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6000
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 6001
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6002
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6003
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LINBIOLINUM_RB_G.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6004
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LinBiolinum_RB_G.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6005
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6006
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LinBiolinum_RB_G.ttf"
              }
            ],
            "repeated": 0,
            "id": 6007
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x001e6000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6008
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6009
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6010
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6011
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6012
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6013
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6014
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b00000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6015
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x001e6000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6016
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 6017
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6018
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6019
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\CARLITO-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6020
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Carlito-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6021
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6022
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Carlito-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 6023
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0009c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6024
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6025
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6026
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6027
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b01000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6028
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0009c000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6029
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 6030
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6031
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6032
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\CARLITO-ITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6033
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Carlito-Italic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6034
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6035
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Carlito-Italic.ttf"
              }
            ],
            "repeated": 0,
            "id": 6036
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00099000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6037
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6038
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6039
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b02000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6040
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00099000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6041
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 6042
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6043
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6044
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\CARLITO-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6045
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Carlito-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6046
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6047
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Carlito-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 6048
          },
          {
            "timestamp": "2026-04-16 20:00:21,596",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000a9000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6049
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6050
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000a9000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6051
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 6052
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6053
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6054
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\CARLITO-BOLDITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6055
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Carlito-BoldItalic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6056
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6057
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Carlito-BoldItalic.ttf"
              }
            ],
            "repeated": 0,
            "id": 6058
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000c8000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6059
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6060
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6061
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b03000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6062
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000c8000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6063
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 6064
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6065
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6066
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSANSLISU-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6067
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSansLisu-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6068
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6069
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSansLisu-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 6070
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0000e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6071
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6072
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6073
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b04000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6074
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6075
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 6076
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6077
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6078
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSANSLISU-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6079
          },
          {
            "timestamp": "2026-04-16 20:00:21,611",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSansLisu-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6080
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6081
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSansLisu-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 6082
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000594"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0000e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6083
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6084
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6085
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6086
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6087
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6088
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SCHEHERAZADE-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6089
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Scheherazade-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6090
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6091
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Scheherazade-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 6092
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000594"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0007b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6093
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6094
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6095
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6096
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b05000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6097
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6098
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6099
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0007b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6100
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6101
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6102
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6103
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\SCHEHERAZADE-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6104
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Scheherazade-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6105
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6106
          },
          {
            "timestamp": "2026-04-16 20:00:21,627",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Scheherazade-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 6107
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000594"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00086000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6108
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6109
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6110
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6111
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6112
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b08000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6113
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6114
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6115
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00086000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6116
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6117
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6118
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6119
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSERIF-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6120
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSerif-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6121
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6122
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSerif-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 6123
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000594"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000ae000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6124
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6125
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6126
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6127
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b0a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6128
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000ae000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6129
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6130
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6131
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6132
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSERIF-ITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6133
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSerif-Italic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6134
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6135
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSerif-Italic.ttf"
              }
            ],
            "repeated": 0,
            "id": 6136
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000b9000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6137
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6138
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6139
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b0b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6140
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000b9000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6141
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6142
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6143
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6144
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSERIF-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6145
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSerif-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6146
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6147
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSerif-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 6148
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000b7000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6149
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6150
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000b7000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6151
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6152
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6153
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6154
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NOTOSERIF-BOLDITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6155
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NotoSerif-BoldItalic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6156
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6157
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NotoSerif-BoldItalic.ttf"
              }
            ],
            "repeated": 0,
            "id": 6158
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000bf000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6159
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6160
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6161
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b0c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6162
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000bf000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6163
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6164
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6165
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6166
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\AMIRIQURAN.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6167
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\AmiriQuran.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6168
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6169
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\AmiriQuran.ttf"
              }
            ],
            "repeated": 0,
            "id": 6170
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00021000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6171
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6172
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6173
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6174
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b0d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6175
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00021000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6176
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6177
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6178
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6179
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\FRANKRUEHLCLM-MEDIUM.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6180
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\FrankRuehlCLM-Medium.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6181
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6182
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\FrankRuehlCLM-Medium.otf"
              }
            ],
            "repeated": 0,
            "id": 6183
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000590"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00025000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6184
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6185
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6186
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6187
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088be000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6188
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6189
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6190
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b0e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6191
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088be000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6192
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6193
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00025000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6194
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6195
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6196
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6197
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\FRANKRUEHLCLM-MEDIUMOBLIQUE.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6198
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\FrankRuehlCLM-MediumOblique.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6199
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6200
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\FrankRuehlCLM-MediumOblique.otf"
              }
            ],
            "repeated": 0,
            "id": 6201
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0001b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6202
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6203
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6204
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6205
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 6206
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6207
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6208
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\FRANKRUEHLCLM-BOLD.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6209
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\FrankRuehlCLM-Bold.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6210
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6211
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\FrankRuehlCLM-Bold.otf"
              }
            ],
            "repeated": 0,
            "id": 6212
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00018000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6213
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6214
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6215
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b17000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6216
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00018000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6217
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 6218
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6219
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6220
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\FRANKRUEHLCLM-BOLDOBLIQUE.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6221
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\FrankRuehlCLM-BoldOblique.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6222
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6223
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\FrankRuehlCLM-BoldOblique.otf"
              }
            ],
            "repeated": 0,
            "id": 6224
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0001b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6225
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6226
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0001b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6227
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 6228
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6229
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6230
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\MIRIAMCLM-BOOK.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6231
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\MiriamCLM-Book.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6232
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6233
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\MiriamCLM-Book.otf"
              }
            ],
            "repeated": 0,
            "id": 6234
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0000f000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6235
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6236
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 6237
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000588"
              },
              {
                "name": "ValueName",
                "value": "he-IL"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\he-IL"
              }
            ],
            "repeated": 0,
            "id": 6238
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 6239
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 6240
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000588"
              },
              {
                "name": "ValueName",
                "value": "he-IL"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\he-IL"
              }
            ],
            "repeated": 0,
            "id": 6241
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000588"
              }
            ],
            "repeated": 0,
            "id": 6242
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6243
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6244
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6245
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6246
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6247
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6248
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6249
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6250
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b18000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6251
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000f000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6252
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 6253
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6254
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6255
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\MIRIAMCLM-BOLD.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6256
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\MiriamCLM-Bold.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6257
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6258
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\MiriamCLM-Bold.otf"
              }
            ],
            "repeated": 0,
            "id": 6259
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00014000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6260
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6261
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6262
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6263
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6264
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6265
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6266
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6267
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6268
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6269
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00014000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6270
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 6271
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6272
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6273
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\MIRIAMMONOCLM-BOOK.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6274
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\MiriamMonoCLM-Book.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6275
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6276
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\MiriamMonoCLM-Book.ttf"
              }
            ],
            "repeated": 0,
            "id": 6277
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0000d000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6278
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6279
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6280
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6281
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6282
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6283
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000d000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6284
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 6285
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6286
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6287
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\MIRIAMMONOCLM-BOOKOBLIQUE.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6288
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\MiriamMonoCLM-BookOblique.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6289
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6290
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\MiriamMonoCLM-BookOblique.ttf"
              }
            ],
            "repeated": 0,
            "id": 6291
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0000e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6292
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6293
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6294
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6295
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6296
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6297
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6298
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b19000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6299
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6300
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 6301
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6302
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6303
          },
          {
            "timestamp": "2026-04-16 20:00:21,674",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\MIRIAMMONOCLM-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6304
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\MiriamMonoCLM-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6305
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6306
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\MiriamMonoCLM-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 6307
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0000e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6308
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6309
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6310
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6311
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6312
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6313
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6314
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 6315
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6316
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6317
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\MIRIAMMONOCLM-BOLDOBLIQUE.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6318
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\MiriamMonoCLM-BoldOblique.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6319
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6320
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\MiriamMonoCLM-BoldOblique.ttf"
              }
            ],
            "repeated": 0,
            "id": 6321
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0000e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6322
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6323
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6324
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6325
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6326
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6327
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6328
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b1a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6329
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6330
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6331
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6332
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6333
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NACHLIELICLM-LIGHT.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6334
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NachlieliCLM-Light.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6335
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6336
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NachlieliCLM-Light.otf"
              }
            ],
            "repeated": 0,
            "id": 6337
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0000d000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6338
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6339
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6340
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000d000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6341
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6342
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6343
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6344
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NACHLIELICLM-LIGHTOBLIQUE.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6345
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NachlieliCLM-LightOblique.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6346
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6347
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NachlieliCLM-LightOblique.otf"
              }
            ],
            "repeated": 0,
            "id": 6348
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00013000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6349
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6350
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6351
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b1b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6352
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00013000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6353
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6354
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6355
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6356
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NACHLIELICLM-BOLD.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6357
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NachlieliCLM-Bold.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6358
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6359
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NachlieliCLM-Bold.otf"
              }
            ],
            "repeated": 0,
            "id": 6360
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0000f000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6361
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6362
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000f000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6363
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6364
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6365
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6366
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NACHLIELICLM-BOLDOBLIQUE.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6367
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\NachlieliCLM-BoldOblique.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6368
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6369
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\NachlieliCLM-BoldOblique.otf"
              }
            ],
            "repeated": 0,
            "id": 6370
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00014000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6371
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6372
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6373
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b1c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6374
          },
          {
            "timestamp": "2026-04-16 20:00:21,689",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00014000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6375
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6376
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6377
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6378
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSANS.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6379
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSans.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6380
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6381
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSans.ttf"
              }
            ],
            "repeated": 0,
            "id": 6382
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000b9000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6383
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6384
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6385
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6386
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6387
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6388
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6389
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b1d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6390
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6391
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6392
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000b9000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6393
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6394
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6395
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6396
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSANS-OBLIQUE.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6397
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSans-Oblique.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6398
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6399
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSans-Oblique.ttf"
              }
            ],
            "repeated": 0,
            "id": 6400
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0009c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6401
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6402
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6403
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6404
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6405
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6406
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6407
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b20000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6408
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6409
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6410
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0009c000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6411
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6412
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6413
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6414
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSANS-EXTRALIGHT.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6415
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSans-ExtraLight.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6416
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6417
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSans-ExtraLight.ttf"
              }
            ],
            "repeated": 0,
            "id": 6418
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00057000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6419
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6420
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6421
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6422
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6423
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6424
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6425
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6426
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b22000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6427
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6428
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x00057000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6429
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6430
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6431
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6432
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSANSCONDENSED.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6433
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSansCondensed.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6434
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6435
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSansCondensed.ttf"
              }
            ],
            "repeated": 0,
            "id": 6436
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000a7000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6437
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6438
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6439
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6440
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6441
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6442
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6443
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b24000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6444
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6445
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6446
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000a7000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6447
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6448
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6449
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6450
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSANSCONDENSED-OBLIQUE.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6451
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSansCondensed-Oblique.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6452
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6453
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSansCondensed-Oblique.ttf"
              }
            ],
            "repeated": 0,
            "id": 6454
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00093000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6455
          },
          {
            "timestamp": "2026-04-16 20:00:21,705",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6456
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6457
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6458
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6459
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6460
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6461
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b27000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6462
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6463
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6464
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00093000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6465
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6466
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6467
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6468
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSANS-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6469
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSans-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6470
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6471
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSans-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 6472
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000ad000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6473
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6474
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6475
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6476
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6477
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6478
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6479
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b2a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6480
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6481
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6482
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000ad000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6483
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6484
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6485
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6486
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSANS-BOLDOBLIQUE.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6487
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSans-BoldOblique.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6488
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6489
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSans-BoldOblique.ttf"
              }
            ],
            "repeated": 0,
            "id": 6490
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0009e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6491
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6492
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6493
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6494
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6495
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6496
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6497
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b2d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6498
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6499
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6500
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x0009e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6501
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6502
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6503
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6504
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSANSCONDENSED-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6505
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSansCondensed-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6506
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6507
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSansCondensed-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 6508
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x000a3000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6509
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6510
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6511
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6512
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6513
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6514
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6515
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b30000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6516
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6517
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6518
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x000a3000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6519
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6520
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6521
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6522
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSANSCONDENSED-BOLDOBLIQUE.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6523
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSansCondensed-BoldOblique.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6524
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6525
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSansCondensed-BoldOblique.ttf"
              }
            ],
            "repeated": 0,
            "id": 6526
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00096000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6527
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6528
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6529
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6530
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6531
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6532
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6533
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b33000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6534
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6535
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00006000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6536
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00096000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6537
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6538
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6539
          },
          {
            "timestamp": "2026-04-16 20:00:21,721",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6540
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSANSMONO.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6541
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSansMono.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6542
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6543
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSansMono.ttf"
              }
            ],
            "repeated": 0,
            "id": 6544
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00054000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6545
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6546
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6547
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6548
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6549
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6550
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6551
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6552
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b36000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6553
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6554
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x00054000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6555
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6556
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6557
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6558
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSANSMONO-OBLIQUE.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6559
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSansMono-Oblique.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6560
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6561
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSansMono-Oblique.ttf"
              }
            ],
            "repeated": 0,
            "id": 6562
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0003e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6563
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6564
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6565
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6566
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6567
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6568
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6569
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6570
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b38000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6571
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6572
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0003e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6573
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6574
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6575
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6576
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSANSMONO-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6577
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSansMono-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6578
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6579
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSansMono-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 6580
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00052000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6581
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6582
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6583
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6584
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6585
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6586
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6587
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6588
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b3a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6589
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6590
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x00052000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6591
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6592
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6593
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6594
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSANSMONO-BOLDOBLIQUE.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6595
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSansMono-BoldOblique.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6596
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6597
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSansMono-BoldOblique.ttf"
              }
            ],
            "repeated": 0,
            "id": 6598
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0003e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6599
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6600
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6601
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6602
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6603
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6604
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6605
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6606
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b3b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6607
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6608
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0003e000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6609
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6610
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6611
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6612
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSERIF.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6613
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSerif.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6614
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6615
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSerif.ttf"
              }
            ],
            "repeated": 0,
            "id": 6616
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005d000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6617
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6618
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6619
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6620
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6621
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6622
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6623
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6624
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b3d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6625
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6626
          },
          {
            "timestamp": "2026-04-16 20:00:21,736",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005d000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6627
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6628
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6629
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6630
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSERIFCONDENSED.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6631
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSerifCondensed.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6632
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6633
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSerifCondensed.ttf"
              }
            ],
            "repeated": 0,
            "id": 6634
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00055000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6635
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6636
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6637
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6638
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6639
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6640
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6641
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6642
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b3f000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6643
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6644
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x00055000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6645
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6646
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6647
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6648
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSERIF-ITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6649
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSerif-Italic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6650
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6651
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSerif-Italic.ttf"
              }
            ],
            "repeated": 0,
            "id": 6652
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00055000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6653
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6654
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6655
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6656
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6657
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6658
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6659
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6660
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b41000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6661
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6662
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x00055000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6663
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6664
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6665
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6666
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSERIF-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6667
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSerif-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6668
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6669
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSerif-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 6670
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00057000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6671
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6672
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6673
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6674
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6675
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6676
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6677
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6678
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b42000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6679
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6680
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x00057000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6681
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6682
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6683
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6684
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSERIFCONDENSED-ITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6685
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSerifCondensed-Italic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6686
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6687
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSerifCondensed-Italic.ttf"
              }
            ],
            "repeated": 0,
            "id": 6688
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00055000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6689
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6690
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6691
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6692
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6693
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6694
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6695
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6696
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b44000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6697
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6698
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x00055000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6699
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6700
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6701
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6702
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSERIFCONDENSED-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6703
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSerifCondensed-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6704
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6705
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSerifCondensed-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 6706
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00051000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6707
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6708
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6709
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6710
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6711
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6712
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6713
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6714
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b46000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6715
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6716
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x00051000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6717
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6718
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6719
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6720
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSERIF-BOLDITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6721
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSerif-BoldItalic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6722
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6723
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSerif-BoldItalic.ttf"
              }
            ],
            "repeated": 0,
            "id": 6724
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00055000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6725
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6726
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6727
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6728
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6729
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6730
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6731
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6732
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b48000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6733
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6734
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x00055000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6735
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6736
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6737
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6738
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DEJAVUSERIFCONDENSED-BOLDITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6739
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\DejaVuSerifCondensed-BoldItalic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6740
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6741
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\DejaVuSerifCondensed-BoldItalic.ttf"
              }
            ],
            "repeated": 0,
            "id": 6742
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00055000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6743
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6744
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6745
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6746
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6747
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6748
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6749
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6750
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b49000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6751
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ab000"
              },
              {
                "name": "RegionSize",
                "value": "0x00009000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6752
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x00055000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6753
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6754
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6755
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6756
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\GENBKBASR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6757
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\GenBkBasR.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6758
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6759
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\GenBkBasR.ttf"
              }
            ],
            "repeated": 0,
            "id": 6760
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000058c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00042000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6761
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6762
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6763
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6764
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b4b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6765
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6766
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6767
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00042000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6768
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000058c"
              }
            ],
            "repeated": 0,
            "id": 6769
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6770
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6771
          },
          {
            "timestamp": "2026-04-16 20:00:21,768",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\GENBKBASI.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6772
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\GenBkBasI.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6773
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6774
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\GenBkBasI.ttf"
              }
            ],
            "repeated": 0,
            "id": 6775
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00040000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6776
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6777
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6778
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6779
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6780
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b4e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6781
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6782
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6783
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00040000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6784
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 6785
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6786
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6787
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\GENBKBASB.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6788
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\GenBkBasB.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6789
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6790
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\GenBkBasB.ttf"
              }
            ],
            "repeated": 0,
            "id": 6791
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00042000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6792
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6793
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6794
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6795
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6796
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b50000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6797
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6798
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6799
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00042000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6800
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 6801
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6802
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6803
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\GENBKBASBI.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6804
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\GenBkBasBI.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6805
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6806
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\GenBkBasBI.ttf"
              }
            ],
            "repeated": 0,
            "id": 6807
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0003c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6808
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6809
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6810
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6811
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6812
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b53000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6813
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6814
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6815
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x0003c000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6816
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 6817
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6818
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6819
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LIBERATIONSERIF-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6820
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LiberationSerif-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6821
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6822
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LiberationSerif-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 6823
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00061000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6824
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6825
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6826
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00061000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6827
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 6828
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6829
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6830
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LIBERATIONSERIF-ITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6831
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LiberationSerif-Italic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6832
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6833
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LiberationSerif-Italic.ttf"
              }
            ],
            "repeated": 0,
            "id": 6834
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6835
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6836
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6837
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b56000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6838
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005c000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6839
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ec"
              }
            ],
            "repeated": 0,
            "id": 6840
          },
          {
            "timestamp": "2026-04-16 20:00:21,783",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 6841
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6842
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LIBERATIONSERIF-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6843
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LiberationSerif-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6844
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6845
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LiberationSerif-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 6846
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6847
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6848
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6849
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b57000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6850
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005b000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6851
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6852
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6853
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6854
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LIBERATIONSERIF-BOLDITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6855
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LiberationSerif-BoldItalic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6856
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6857
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LiberationSerif-BoldItalic.ttf"
              }
            ],
            "repeated": 0,
            "id": 6858
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x0005c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6859
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6860
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6861
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b58000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6862
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "RegionSize",
                "value": "0x0005c000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6863
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6864
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6865
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6866
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LINLIBERTINE_DR_G.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6867
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LinLibertine_DR_G.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6868
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6869
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LinLibertine_DR_G.ttf"
              }
            ],
            "repeated": 0,
            "id": 6870
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x001eb000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6871
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6872
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6873
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6874
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6875
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x001eb000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6876
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6877
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6878
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6879
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LINLIBERTINE_R_G.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6880
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LinLibertine_R_G.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6881
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6882
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LinLibertine_R_G.ttf"
              }
            ],
            "repeated": 0,
            "id": 6883
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00273000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6884
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6885
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6886
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6887
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6888
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6889
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6890
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b59000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6891
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00273000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6892
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6893
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6894
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6895
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LINLIBERTINE_RZ_G.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6896
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LinLibertine_RZ_G.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6897
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6898
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LinLibertine_RZ_G.ttf"
              }
            ],
            "repeated": 0,
            "id": 6899
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x001e2000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6900
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6901
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6902
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6903
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6904
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6905
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6906
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b5a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6907
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x001e2000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6908
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6909
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6910
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6911
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LINLIBERTINE_RI_G.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6912
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "3964",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6913
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "3964",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              },
              {
                "name": "Milliseconds",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 6914
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LinLibertine_RI_G.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6915
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6916
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LinLibertine_RI_G.ttf"
              }
            ],
            "repeated": 0,
            "id": 6917
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x001f5000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6918
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6919
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6920
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6921
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6922
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6923
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x001f5000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6924
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6925
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6926
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6927
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LINLIBERTINE_RB_G.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6928
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LinLibertine_RB_G.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6929
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6930
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LinLibertine_RB_G.ttf"
              }
            ],
            "repeated": 0,
            "id": 6931
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00203000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6932
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6933
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6934
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6935
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6936
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6937
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6938
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b5b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6939
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00203000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6940
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6941
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6942
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6943
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LINLIBERTINE_RZI_G.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6944
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LinLibertine_RZI_G.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6945
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6946
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LinLibertine_RZI_G.ttf"
              }
            ],
            "repeated": 0,
            "id": 6947
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x001de000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6948
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6949
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6950
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6951
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6952
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6953
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6954
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b5c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6955
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x001de000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6956
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6957
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6958
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6959
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LINLIBERTINE_RBI_G.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6960
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\LinLibertine_RBI_G.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6961
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6962
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\LinLibertine_RBI_G.ttf"
              }
            ],
            "repeated": 0,
            "id": 6963
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00182000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6964
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6965
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6966
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6967
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6968
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 6969
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00182000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6970
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6971
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6972
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6973
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\FRANKRUHLHOFSHI-REGULAR.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6974
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\FrankRuhlHofshi-Regular.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6975
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6976
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\FrankRuhlHofshi-Regular.otf"
              }
            ],
            "repeated": 0,
            "id": 6977
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00010000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6978
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "3964",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6979
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "3964",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004c4"
              },
              {
                "name": "Milliseconds",
                "value": "20000"
              }
            ],
            "repeated": 0,
            "id": 6980
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6981
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6982
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 6983
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b5d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6984
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6985
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6986
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6987
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6988
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\FRANKRUHLHOFSHI-BOLD.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6989
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\FrankRuhlHofshi-Bold.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 6990
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6991
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\FrankRuhlHofshi-Bold.otf"
              }
            ],
            "repeated": 0,
            "id": 6992
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00010000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6993
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 6994
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 6995
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 6996
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 6997
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 6998
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\MIRIAMLIBRE-REGULAR.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 6999
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\MiriamLibre-Regular.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 7000
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7001
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\MiriamLibre-Regular.otf"
              }
            ],
            "repeated": 0,
            "id": 7002
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00010000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7003
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 7004
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7005
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b5e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7006
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7007
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 7008
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 7009
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7010
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\MIRIAMLIBRE-BOLD.OTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7011
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\MiriamLibre-Bold.otf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 7012
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7013
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\MiriamLibre-Bold.otf"
              }
            ],
            "repeated": 0,
            "id": 7014
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00011000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7015
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 7016
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7017
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 7018
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 7019
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7020
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\RUBIK-REGULAR.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7021
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Rubik-Regular.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 7022
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7023
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Rubik-Regular.ttf"
              }
            ],
            "repeated": 0,
            "id": 7024
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000598"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00022000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7025
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 7026
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7027
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b5f000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7028
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00022000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7029
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 7030
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 7031
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7032
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\RUBIK-ITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7033
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Rubik-Italic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 7034
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7035
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Rubik-Italic.ttf"
              }
            ],
            "repeated": 0,
            "id": 7036
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000594"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00024000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7037
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 7038
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00024000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7039
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 7040
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 7041
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7042
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\RUBIK-BOLD.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7043
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Rubik-Bold.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 7044
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7045
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Rubik-Bold.ttf"
              }
            ],
            "repeated": 0,
            "id": 7046
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000594"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00023000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7047
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 7048
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00023000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7049
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 7050
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 7051
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7052
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\RUBIK-BOLDITALIC.TTF"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7053
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\Rubik-BoldItalic.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 7054
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7055
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\Rubik-BoldItalic.ttf"
              }
            ],
            "repeated": 0,
            "id": 7056
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000594"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00024000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7057
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 7058
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7059
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b60000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7060
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00024000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7061
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 7062
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 7063
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7064
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\marlett.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7065
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\marlett.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 7066
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7067
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\marlett.ttf"
              }
            ],
            "repeated": 0,
            "id": 7068
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000594"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdac4"
              },
              {
                "name": "ViewSize",
                "value": "0x00007000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7069
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 7070
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0889d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7071
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00007000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7072
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000594"
              }
            ],
            "repeated": 0,
            "id": 7073
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000590"
              }
            ],
            "repeated": 0,
            "id": 7074
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNELBASE.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              },
              {
                "name": "FunctionName",
                "value": "RegOpenKeyExW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77256d30"
              }
            ],
            "repeated": 0,
            "id": 7075
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7076
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000009",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000118"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink"
              }
            ],
            "repeated": 0,
            "id": 7077
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNELBASE.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              },
              {
                "name": "FunctionName",
                "value": "RegEnumValueW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x772546e0"
              }
            ],
            "repeated": 0,
            "id": 7078
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "0"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7079
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "1"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7080
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "2"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7081
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "3"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 1,
            "id": 7082
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "4"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7083
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "5"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7084
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "6"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7085
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "7"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7086
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "8"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7087
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "9"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7088
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "10"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7089
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "11"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7090
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "12"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7091
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "13"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7092
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "14"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7093
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "15"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7094
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "16"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7095
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "17"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7096
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "18"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7097
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "19"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7098
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "20"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7099
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "21"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7100
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "22"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7101
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "23"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7102
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "24"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7103
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "25"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7104
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "26"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7105
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "27"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7106
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "28"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7107
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "29"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7108
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "30"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7109
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "31"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7110
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "32"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7111
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "33"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7112
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "34"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7113
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "35"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7114
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "36"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7115
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "37"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7116
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "38"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7117
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "39"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7118
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "40"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7119
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "41"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7120
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "42"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7121
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "43"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7122
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "44"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7123
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "45"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7124
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "46"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7125
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "47"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7126
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "48"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7127
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "49"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7128
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "50"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7129
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "51"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7130
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "52"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7131
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "53"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7132
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "54"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7133
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "55"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7134
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "56"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7135
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "57"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7136
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "58"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7137
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "59"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7138
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "60"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7139
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "61"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7140
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "62"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7141
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "63"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7142
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "64"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7143
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "65"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7144
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "66"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7145
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": false,
            "return": "0xffffffff8000001a",
            "pretty_return": "NO_MORE_ENTRIES",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "67"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7146
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNELBASE.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              },
              {
                "name": "FunctionName",
                "value": "RegCloseKey"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77257e70"
              }
            ],
            "repeated": 0,
            "id": 7147
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 7148
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7149
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000009",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000234"
              },
              {
                "name": "ObjectAttributesName",
                "value": "EUDC\\1251"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\EUDC\\1251"
              }
            ],
            "repeated": 0,
            "id": 7150
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7151
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000009",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000118"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
              }
            ],
            "repeated": 0,
            "id": 7152
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNELBASE.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              },
              {
                "name": "FunctionName",
                "value": "RegQueryInfoKeyW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77255660"
              }
            ],
            "repeated": 0,
            "id": 7153
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "KeyInformation",
                "value": "o\\xff9b\\x11,\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\x00\\x00\\x004\\x00\\x00\\x00*\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 7154
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09de7000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7155
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "0"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7156
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "1"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7157
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "2"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7158
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "3"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7159
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "4"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7160
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "5"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7161
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "6"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7162
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "7"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7163
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "8"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7164
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "9"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7165
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "10"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7166
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "11"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7167
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "12"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7168
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "13"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7169
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "14"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7170
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "15"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7171
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "16"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7172
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "17"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7173
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "18"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7174
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "19"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7175
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "20"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7176
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "21"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7177
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "22"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7178
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "23"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7179
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "24"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7180
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "25"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7181
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "26"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7182
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "27"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7183
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "28"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7184
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "29"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7185
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "30"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7186
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "31"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7187
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "32"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7188
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "33"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7189
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "34"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7190
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "35"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7191
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "36"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7192
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": false,
            "return": "0xffffffff8000001a",
            "pretty_return": "NO_MORE_ENTRIES",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "Index",
                "value": "37"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7193
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000598"
              }
            ],
            "repeated": 0,
            "id": 7194
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7195
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000059c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\micross.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7196
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000059c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\micross.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 7197
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7198
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000005a0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000059c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\micross.ttf"
              }
            ],
            "repeated": 0,
            "id": 7199
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000005a0"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0a1e0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fda80"
              },
              {
                "name": "ViewSize",
                "value": "0x000d6000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7200
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 7201
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088aa000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7202
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7203
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ac000"
              },
              {
                "name": "RegionSize",
                "value": "0x00008000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7204
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ac000"
              },
              {
                "name": "RegionSize",
                "value": "0x00008000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7205
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7206
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088bd000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7207
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ad000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7208
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7209
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ad000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7210
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7211
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088bd000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7212
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7213
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088af000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7214
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7215
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b61000"
              },
              {
                "name": "RegionSize",
                "value": "0x00008000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7216
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x082961e2",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088af000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7217
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              },
              {
                "name": "FunctionName",
                "value": "ND_RI2"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x74173a30"
              }
            ],
            "repeated": 0,
            "id": 7218
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              },
              {
                "name": "FunctionName",
                "value": "ND_RU1"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x74173960"
              }
            ],
            "repeated": 0,
            "id": 7219
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetFontUnit"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a025e0"
              }
            ],
            "repeated": 0,
            "id": 7220
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetFontSize"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a02910"
              }
            ],
            "repeated": 0,
            "id": 7221
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetFontStyle"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a02560"
              }
            ],
            "repeated": 0,
            "id": 7222
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetFamily"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a024e0"
              }
            ],
            "repeated": 0,
            "id": 7223
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "ReleaseDC"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d4e390"
              }
            ],
            "repeated": 0,
            "id": 7224
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipCreateFromHDC"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709d0dc0"
              }
            ],
            "repeated": 0,
            "id": 7225
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetDpiY"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a10480"
              }
            ],
            "repeated": 0,
            "id": 7226
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetFontHeight"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a02660"
              }
            ],
            "repeated": 0,
            "id": 7227
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetEmHeight"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a020f0"
              }
            ],
            "repeated": 0,
            "id": 7228
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetLineSpacing"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a02180"
              }
            ],
            "repeated": 0,
            "id": 7229
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipDeleteGraphics"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709dd8c0"
              }
            ],
            "repeated": 0,
            "id": 7230
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipCreateFont"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a03d70"
              }
            ],
            "repeated": 0,
            "id": 7231
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipDeleteFont"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a0df30"
              }
            ],
            "repeated": 0,
            "id": 7232
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetSysColor"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d3cf90"
              }
            ],
            "repeated": 0,
            "id": 7233
          },
          {
            "timestamp": "2026-04-16 20:00:21,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x082961e2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetSysColorW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7234
          },
          {
            "timestamp": "2026-04-16 20:00:22,096",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081b1000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7235
          },
          {
            "timestamp": "2026-04-16 20:00:22,096",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7236
          },
          {
            "timestamp": "2026-04-16 20:00:22,096",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08620000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 7237
          },
          {
            "timestamp": "2026-04-16 20:00:22,111",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08294184",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipCreateStringFormat"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a37e10"
              }
            ],
            "repeated": 0,
            "id": 7238
          },
          {
            "timestamp": "2026-04-16 20:00:22,111",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829af0a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipSetStringFormatLineAlign"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a44dd0"
              }
            ],
            "repeated": 0,
            "id": 7239
          },
          {
            "timestamp": "2026-04-16 20:00:22,111",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08294184",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipCreatePen1"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709ee730"
              }
            ],
            "repeated": 0,
            "id": 7240
          },
          {
            "timestamp": "2026-04-16 20:00:22,111",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829acc3",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipCreateSolidFill"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a09a30"
              }
            ],
            "repeated": 0,
            "id": 7241
          },
          {
            "timestamp": "2026-04-16 20:00:22,111",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829acc3",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ec3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7242
          },
          {
            "timestamp": "2026-04-16 20:00:22,127",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0829b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7243
          },
          {
            "timestamp": "2026-04-16 20:00:22,127",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x085a3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7244
          },
          {
            "timestamp": "2026-04-16 20:00:22,143",
            "thread_id": "4344",
            "caller": "0x07ec2f87",
            "parentcaller": "0x0829b74e",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09dec000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7245
          },
          {
            "timestamp": "2026-04-16 20:00:22,143",
            "thread_id": "4344",
            "caller": "0x08295880",
            "parentcaller": "0x08293e6a",
            "category": "misc",
            "api": "SystemParametersInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Action",
                "value": "0x00000042"
              },
              {
                "name": "uiParam",
                "value": "0x0000000c"
              }
            ],
            "repeated": 0,
            "id": 7246
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0829c000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7247
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c2f2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SystemParametersInfo"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7248
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c2f2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SystemParametersInfoW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d44bd0"
              }
            ],
            "repeated": 0,
            "id": 7249
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4344",
            "caller": "0x07ec26dc",
            "parentcaller": "0x0829c2f2",
            "category": "misc",
            "api": "SystemParametersInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Action",
                "value": "0x00000029"
              },
              {
                "name": "uiParam",
                "value": "0x000001f4"
              }
            ],
            "repeated": 0,
            "id": 7250
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "MonitorFromRect"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d38da0"
              }
            ],
            "repeated": 0,
            "id": 7251
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetMonitorInfo"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7252
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetMonitorInfoW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d42980"
              }
            ],
            "repeated": 0,
            "id": 7253
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "CreateDC"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7254
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "CreateDCW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a853a0"
              }
            ],
            "repeated": 0,
            "id": 7255
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetDeviceCaps"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a85ec0"
              }
            ],
            "repeated": 0,
            "id": 7256
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "DeleteDC"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86790"
              }
            ],
            "repeated": 0,
            "id": 7257
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4344",
            "caller": "0x0829c33a",
            "parentcaller": "0x08295e13",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f8b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7258
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4344",
            "caller": "0x07ec2547",
            "parentcaller": "0x0829c383",
            "category": "misc",
            "api": "SystemParametersInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Action",
                "value": "0x0000100a"
              },
              {
                "name": "uiParam",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7259
          },
          {
            "timestamp": "2026-04-16 20:00:22,299",
            "thread_id": "4344",
            "caller": "0x0829c383",
            "parentcaller": "0x082944d9",
            "category": "misc",
            "api": "SystemParametersInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Action",
                "value": "0x00000042"
              },
              {
                "name": "uiParam",
                "value": "0x0000000c"
              }
            ],
            "repeated": 2,
            "id": 7260
          },
          {
            "timestamp": "2026-04-16 20:00:22,330",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x085a4000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7261
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4344",
            "caller": "0x07ec3039",
            "parentcaller": "0x0829c878",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ded000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7262
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x08294d2a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipCreateFontFamilyFromName"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709f7600"
              }
            ],
            "repeated": 0,
            "id": 7263
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7264
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\verdana.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7265
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\verdana.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 7266
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7267
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000594"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\verdana.ttf"
              }
            ],
            "repeated": 0,
            "id": 7268
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004ec"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08630000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdca8"
              },
              {
                "name": "ViewSize",
                "value": "0x0003c000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7269
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 7270
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7271
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7272
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ad000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7273
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ad000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7274
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7275
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b69000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7276
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7277
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\verdanai.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7278
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\verdanai.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 7279
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7280
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000058c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\verdanai.ttf"
              }
            ],
            "repeated": 0,
            "id": 7281
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000588"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09980000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdca8"
              },
              {
                "name": "ViewSize",
                "value": "0x00037000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7282
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 7283
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7284
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7285
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ad000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7286
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ad000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7287
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7288
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b6d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7289
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7290
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000584"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\verdanab.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7291
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000584"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\verdanab.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 7292
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7293
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000584"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\verdanab.ttf"
              }
            ],
            "repeated": 0,
            "id": 7294
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000564"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0a2c0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdca8"
              },
              {
                "name": "ViewSize",
                "value": "0x00034000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7295
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 7296
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7297
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7298
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7299
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ae000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7300
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7301
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b70000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7302
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7303
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\verdanaz.ttf"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7304
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\verdanaz.ttf"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 7305
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7306
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000590"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\verdanaz.ttf"
              }
            ],
            "repeated": 0,
            "id": 7307
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000578"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0a300000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdca8"
              },
              {
                "name": "ViewSize",
                "value": "0x00039000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7308
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 7309
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7310
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088b5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00019000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7311
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ad000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7312
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ad000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7313
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7314
          },
          {
            "timestamp": "2026-04-16 20:00:22,393",
            "thread_id": "4344",
            "caller": "0x07ec2e22",
            "parentcaller": "0x08294d2a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b74000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7315
          },
          {
            "timestamp": "2026-04-16 20:00:22,471",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0829d000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7316
          },
          {
            "timestamp": "2026-04-16 20:00:22,533",
            "thread_id": "4344",
            "caller": "0x07ec2f87",
            "parentcaller": "0x0829b810",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09def000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7317
          },
          {
            "timestamp": "2026-04-16 20:00:22,533",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x085a5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7318
          },
          {
            "timestamp": "2026-04-16 20:00:22,549",
            "thread_id": "4344",
            "caller": "0x0829dc91",
            "parentcaller": "0x0829dc3a",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7319
          },
          {
            "timestamp": "2026-04-16 20:00:22,549",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x05730626",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetDoubleClickTime"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d51590"
              }
            ],
            "repeated": 0,
            "id": 7320
          },
          {
            "timestamp": "2026-04-16 20:00:22,549",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipCreateBitmapFromStream"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a12520"
              }
            ],
            "repeated": 0,
            "id": 7321
          },
          {
            "timestamp": "2026-04-16 20:00:22,564",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\WindowsCodecs"
              },
              {
                "name": "DllBase",
                "value": "0x70360000"
              }
            ],
            "repeated": 0,
            "id": 7322
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "WindowsCodecs.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x70360000"
              }
            ],
            "repeated": 0,
            "id": 7323
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WindowsCodecs.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x70360000"
              },
              {
                "name": "FunctionName",
                "value": "DllGetClassObject"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x703ba840"
              }
            ],
            "repeated": 0,
            "id": 7324
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7325
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7326
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "1"
              },
              {
                "name": "TokenInformation",
                "value": "\\xcc\\xd5\\x0f\\x01\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00\\x00\\x00\\x00\\x00 \\x00H\\x00(\\x1c1\\x01\\x00\\x1d1\\x01\\xb8\\xd11\\x01\\x00\\x00*\\x01\\x94\\xd6\\x0f\\x01 \\xd6\\x0f\\x01\\xe6<\\xe8w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7327
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000598"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000",
                "pretty_value": "MAXIMUM_ALLOWED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes"
              }
            ],
            "repeated": 0,
            "id": 7328
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7329
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7330
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7331
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{A26CEC36-234C-4950-AE16-E34AACE71D0D}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A26CEC36-234C-4950-AE16-E34AACE71D0D}"
              }
            ],
            "repeated": 0,
            "id": 7332
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{A26CEC36-234C-4950-AE16-E34AACE71D0D}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A26CEC36-234C-4950-AE16-E34AACE71D0D}"
              }
            ],
            "repeated": 0,
            "id": 7333
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7334
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7335
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7336
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7337
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}"
              }
            ],
            "repeated": 0,
            "id": 7338
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}"
              }
            ],
            "repeated": 0,
            "id": 7339
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7340
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7341
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7342
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7343
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{7693E886-51C9-4070-8419-9F70738EC8FA}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{7693E886-51C9-4070-8419-9F70738EC8FA}"
              }
            ],
            "repeated": 0,
            "id": 7344
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{7693E886-51C9-4070-8419-9F70738EC8FA}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{7693E886-51C9-4070-8419-9F70738EC8FA}"
              }
            ],
            "repeated": 0,
            "id": 7345
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7346
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7347
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7348
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7349
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}"
              }
            ],
            "repeated": 0,
            "id": 7350
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}"
              }
            ],
            "repeated": 0,
            "id": 7351
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7352
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7353
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7354
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7355
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}"
              }
            ],
            "repeated": 0,
            "id": 7356
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}"
              }
            ],
            "repeated": 0,
            "id": 7357
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7358
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7359
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7360
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7361
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{72B624DF-AE11-4948-A65C-351EB0829419}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{72B624DF-AE11-4948-A65C-351EB0829419}"
              }
            ],
            "repeated": 0,
            "id": 7362
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{72B624DF-AE11-4948-A65C-351EB0829419}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{72B624DF-AE11-4948-A65C-351EB0829419}"
              }
            ],
            "repeated": 0,
            "id": 7363
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7364
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7365
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7366
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7367
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{01B90D9A-8209-47F7-9C52-E1244BF50CED}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{01B90D9A-8209-47F7-9C52-E1244BF50CED}"
              }
            ],
            "repeated": 0,
            "id": 7368
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{01B90D9A-8209-47F7-9C52-E1244BF50CED}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{01B90D9A-8209-47F7-9C52-E1244BF50CED}"
              }
            ],
            "repeated": 0,
            "id": 7369
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7370
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7371
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7372
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7373
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}"
              }
            ],
            "repeated": 0,
            "id": 7374
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}"
              }
            ],
            "repeated": 0,
            "id": 7375
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7376
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7377
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7378
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7379
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{7F12E753-FC71-43D7-A51D-92F35977ABB5}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{7F12E753-FC71-43D7-A51D-92F35977ABB5}"
              }
            ],
            "repeated": 0,
            "id": 7380
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{7F12E753-FC71-43D7-A51D-92F35977ABB5}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{7F12E753-FC71-43D7-A51D-92F35977ABB5}"
              }
            ],
            "repeated": 0,
            "id": 7381
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7382
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7383
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7384
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7385
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{AA94DCC2-B8B0-4898-B835-000AABD74393}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AA94DCC2-B8B0-4898-B835-000AABD74393}"
              }
            ],
            "repeated": 0,
            "id": 7386
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{AA94DCC2-B8B0-4898-B835-000AABD74393}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{AA94DCC2-B8B0-4898-B835-000AABD74393}"
              }
            ],
            "repeated": 0,
            "id": 7387
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7388
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7389
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7390
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7391
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}"
              }
            ],
            "repeated": 0,
            "id": 7392
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}"
              }
            ],
            "repeated": 0,
            "id": 7393
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7394
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7395
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7396
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7397
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}"
              }
            ],
            "repeated": 0,
            "id": 7398
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}"
              }
            ],
            "repeated": 0,
            "id": 7399
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7400
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7401
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7402
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7403
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}"
              }
            ],
            "repeated": 0,
            "id": 7404
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}"
              }
            ],
            "repeated": 0,
            "id": 7405
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7406
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7407
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7408
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7409
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}"
              }
            ],
            "repeated": 0,
            "id": 7410
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}"
              }
            ],
            "repeated": 0,
            "id": 7411
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7412
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7413
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7414
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7415
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{076C2A6C-F78F-4C46-A723-3583E70876EA}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{076C2A6C-F78F-4C46-A723-3583E70876EA}"
              }
            ],
            "repeated": 0,
            "id": 7416
          },
          {
            "timestamp": "2026-04-16 20:00:22,643",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{076C2A6C-F78F-4C46-A723-3583E70876EA}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{076C2A6C-F78F-4C46-A723-3583E70876EA}"
              }
            ],
            "repeated": 0,
            "id": 7417
          },
          {
            "timestamp": "2026-04-16 20:00:22,643",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7418
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7419
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7420
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7421
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}"
              }
            ],
            "repeated": 0,
            "id": 7422
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}"
              }
            ],
            "repeated": 0,
            "id": 7423
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7424
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7425
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7426
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7427
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}"
              }
            ],
            "repeated": 0,
            "id": 7428
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}"
              }
            ],
            "repeated": 0,
            "id": 7429
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7430
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7431
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7432
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7433
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance"
              }
            ],
            "repeated": 0,
            "id": 7434
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005a8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance"
              }
            ],
            "repeated": 0,
            "id": 7435
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7436
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7437
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000059a"
              },
              {
                "name": "KeyInformation",
                "value": "\\x01\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "7"
              }
            ],
            "repeated": 0,
            "id": 7438
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000059a"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled"
              }
            ],
            "repeated": 0,
            "id": 7439
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled"
              }
            ],
            "repeated": 0,
            "id": 7440
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x02f6a1c4",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005aa"
              }
            ],
            "repeated": 0,
            "id": 7441
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipImageForceValidation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a0a7b0"
              }
            ],
            "repeated": 0,
            "id": 7442
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetImageRawFormat"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a069a0"
              }
            ],
            "repeated": 0,
            "id": 7443
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetImageWidth"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a10c40"
              }
            ],
            "repeated": 0,
            "id": 7444
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetImageHeight"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a10e60"
              }
            ],
            "repeated": 0,
            "id": 7445
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipCreateBitmapFromScan0"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709e0ee0"
              }
            ],
            "repeated": 0,
            "id": 7446
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetImagePixelFormat"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a10d50"
              }
            ],
            "repeated": 0,
            "id": 7447
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetImageGraphicsContext"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709e3df0"
              }
            ],
            "repeated": 0,
            "id": 7448
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGraphicsClear"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709e2320"
              }
            ],
            "repeated": 0,
            "id": 7449
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipCreateImageAttributes"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709e20d0"
              }
            ],
            "repeated": 0,
            "id": 7450
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipSetImageAttributesColorKeys"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709e2020"
              }
            ],
            "repeated": 0,
            "id": 7451
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipDrawImageRectRectI"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709ffaa0"
              }
            ],
            "repeated": 0,
            "id": 7452
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4344",
            "caller": "0x07ec350f",
            "parentcaller": "0x0829c33a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09df2000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7453
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipDisposeImageAttributes"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709e2200"
              }
            ],
            "repeated": 0,
            "id": 7454
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829c33a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipDisposeImage"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a15080"
              }
            ],
            "repeated": 0,
            "id": 7455
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4344",
            "caller": "0x0829c33a",
            "parentcaller": "0x082952a3",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05c32000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7456
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0829e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7457
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829cbb3",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "CreateCompatibleDC"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86c90"
              }
            ],
            "repeated": 0,
            "id": 7458
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829cbb3",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetLogFontW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a3d100"
              }
            ],
            "repeated": 0,
            "id": 7459
          },
          {
            "timestamp": "2026-04-16 20:00:22,736",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829cbb3",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "CreateFontIndirect"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7460
          },
          {
            "timestamp": "2026-04-16 20:00:22,736",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829cbb3",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "CreateFontIndirectW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a85dd0"
              }
            ],
            "repeated": 0,
            "id": 7461
          },
          {
            "timestamp": "2026-04-16 20:00:22,736",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829cbb3",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "SelectObject"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86ba0"
              }
            ],
            "repeated": 0,
            "id": 7462
          },
          {
            "timestamp": "2026-04-16 20:00:22,736",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829cbb3",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetTextMetricsW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86e40"
              }
            ],
            "repeated": 0,
            "id": 7463
          },
          {
            "timestamp": "2026-04-16 20:00:22,736",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829cbb3",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetTextExtentPoint32W"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86bf0"
              }
            ],
            "repeated": 0,
            "id": 7464
          },
          {
            "timestamp": "2026-04-16 20:00:22,736",
            "thread_id": "4344",
            "caller": "0x07ec35e3",
            "parentcaller": "0x0829cbb3",
            "category": "system",
            "api": "GetUserDefaultLCID",
            "status": true,
            "return": "0x00000419",
            "arguments": [
              {
                "name": "SystemDefaultLangID",
                "value": "0x00000419"
              },
              {
                "name": "LanguageName",
                "value": "Russian"
              }
            ],
            "repeated": 0,
            "id": 7465
          },
          {
            "timestamp": "2026-04-16 20:00:22,736",
            "thread_id": "4344",
            "caller": "0x07ec35e3",
            "parentcaller": "0x0829cbb3",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01346000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7466
          },
          {
            "timestamp": "2026-04-16 20:00:22,736",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829cbb3",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "DeleteObject"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a85780"
              }
            ],
            "repeated": 0,
            "id": 7467
          },
          {
            "timestamp": "2026-04-16 20:00:22,736",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetCurrentActCtx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ae3460"
              }
            ],
            "repeated": 0,
            "id": 7468
          },
          {
            "timestamp": "2026-04-16 20:00:22,736",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "ActivateActCtx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad0ac0"
              }
            ],
            "repeated": 0,
            "id": 7469
          },
          {
            "timestamp": "2026-04-16 20:00:22,736",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x02f6b54b",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": true,
            "return": "0x00000400",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "78"
              }
            ],
            "repeated": 0,
            "id": 7470
          },
          {
            "timestamp": "2026-04-16 20:00:22,736",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x02f6b54b",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": true,
            "return": "0x00000300",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "79"
              }
            ],
            "repeated": 0,
            "id": 7471
          },
          {
            "timestamp": "2026-04-16 20:00:22,736",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SetWindowText"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7472
          },
          {
            "timestamp": "2026-04-16 20:00:22,736",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SetWindowTextW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d4a510"
              }
            ],
            "repeated": 0,
            "id": 7473
          },
          {
            "timestamp": "2026-04-16 20:00:22,736",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetStartupInfo"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7474
          },
          {
            "timestamp": "2026-04-16 20:00:22,736",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetStartupInfoW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad1550"
              }
            ],
            "repeated": 0,
            "id": 7475
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetSystemMetrics"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d44920"
              }
            ],
            "repeated": 0,
            "id": 7476
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetDeviceCaps"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a85ec0"
              }
            ],
            "repeated": 0,
            "id": 7477
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "CreateIconFromResourceEx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d34850"
              }
            ],
            "repeated": 0,
            "id": 7478
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SendMessage"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7479
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SendMessageW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d45540"
              }
            ],
            "repeated": 0,
            "id": 7480
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetSystemMenu"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d51860"
              }
            ],
            "repeated": 0,
            "id": 7481
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x0802c291",
            "parentcaller": "0x0802be36",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
              }
            ],
            "repeated": 0,
            "id": 7482
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x0802c291",
            "parentcaller": "0x0802be36",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000057c"
              },
              {
                "name": "ValueName",
                "value": "Latest"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest"
              }
            ],
            "repeated": 0,
            "id": 7483
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x0802c291",
            "parentcaller": "0x0802be36",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000057c"
              }
            ],
            "repeated": 0,
            "id": 7484
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x0802c291",
            "parentcaller": "0x0802be36",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000057c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\USER32.dll.mui"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 7485
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x0802c291",
            "parentcaller": "0x0802be36",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004e8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000057c"
              },
              {
                "name": "FileName",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\user32.dll.mui"
              }
            ],
            "repeated": 0,
            "id": 7486
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x0802c291",
            "parentcaller": "0x0802be36",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004e8"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x099c0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdb48"
              },
              {
                "name": "ViewSize",
                "value": "0x00008000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7487
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x0802c291",
            "parentcaller": "0x0802be36",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e8"
              }
            ],
            "repeated": 0,
            "id": 7488
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetWindowPlacement"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d51950"
              }
            ],
            "repeated": 0,
            "id": 7489
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "EnableMenuItem"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d301c0"
              }
            ],
            "repeated": 0,
            "id": 7490
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetClientRect"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d44cc0"
              }
            ],
            "repeated": 0,
            "id": 7491
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetWindowTextLength"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7492
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetWindowTextLengthW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d4a4c0"
              }
            ],
            "repeated": 0,
            "id": 7493
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetWindowText"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7494
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetWindowTextW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d49d50"
              }
            ],
            "repeated": 0,
            "id": 7495
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SetWindowPos"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d52370"
              }
            ],
            "repeated": 0,
            "id": 7496
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "RedrawWindow"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d51e90"
              }
            ],
            "repeated": 0,
            "id": 7497
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "ShowWindow"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d523d0"
              }
            ],
            "repeated": 0,
            "id": 7498
          },
          {
            "timestamp": "2026-04-16 20:00:22,768",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetWindow"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d4bcb0"
              }
            ],
            "repeated": 0,
            "id": 7499
          },
          {
            "timestamp": "2026-04-16 20:00:22,768",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "MapWindowPoints"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d44810"
              }
            ],
            "repeated": 0,
            "id": 7500
          },
          {
            "timestamp": "2026-04-16 20:00:22,768",
            "thread_id": "4344",
            "caller": "0x02f6b93e",
            "parentcaller": "0x057309dc",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05732000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7501
          },
          {
            "timestamp": "2026-04-16 20:00:22,768",
            "thread_id": "4344",
            "caller": "0x02f6b93e",
            "parentcaller": "0x057309dc",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05734000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7502
          },
          {
            "timestamp": "2026-04-16 20:00:22,768",
            "thread_id": "4344",
            "caller": "0x02f6b93e",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000009",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
              }
            ],
            "repeated": 0,
            "id": 7503
          },
          {
            "timestamp": "2026-04-16 20:00:22,768",
            "thread_id": "4344",
            "caller": "0x02f6b93e",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e8"
              },
              {
                "name": "ValueName",
                "value": "ResourcePolicies"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies"
              }
            ],
            "repeated": 0,
            "id": 7504
          },
          {
            "timestamp": "2026-04-16 20:00:22,768",
            "thread_id": "4344",
            "caller": "0x02f6b93e",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e8"
              }
            ],
            "repeated": 0,
            "id": 7505
          },
          {
            "timestamp": "2026-04-16 20:00:22,768",
            "thread_id": "4344",
            "caller": "0x02f6b93e",
            "parentcaller": "0x057309dc",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x099d0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00008000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7506
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4344",
            "caller": "0x02f6b93e",
            "parentcaller": "0x057309dc",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x099d0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7507
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrLoadDll",
            "status": false,
            "return": "0xffffffffc0000135",
            "pretty_return": "DLL_NOT_FOUND",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\comctl32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7508
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\comctl32.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 7509
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\\comctl32"
              },
              {
                "name": "DllBase",
                "value": "0x70150000"
              }
            ],
            "repeated": 0,
            "id": 7510
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "__notification__",
            "api": "sysenter",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadIdentifier",
                "value": "4344"
              },
              {
                "name": "Module",
                "value": "KERNEL32.dll"
              },
              {
                "name": "Return Address",
                "value": "0x76ad24ac"
              }
            ],
            "repeated": 0,
            "id": 7511
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "comctl32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x70150000"
              }
            ],
            "repeated": 0,
            "id": 7512
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x70150000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "comctl32.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7513
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "comctl32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x70150000"
              },
              {
                "name": "FunctionName",
                "value": "InitCommonControlsEx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x701a33e0"
              }
            ],
            "repeated": 0,
            "id": 7514
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetClassInfo"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7515
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetClassInfoW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d3df90"
              }
            ],
            "repeated": 0,
            "id": 7516
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4344",
            "caller": "0x07c6a52a",
            "parentcaller": "0x05730864",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0134b000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7517
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4344",
            "caller": "0x0829e2cb",
            "parentcaller": "0x057309dc",
            "category": "misc",
            "api": "SystemParametersInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Action",
                "value": "0x00001022"
              },
              {
                "name": "uiParam",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7518
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4344",
            "caller": "0x0829e2cb",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "user32"
              },
              {
                "name": "BaseAddress",
                "value": "0x75d10000"
              }
            ],
            "repeated": 0,
            "id": 7519
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4344",
            "caller": "0x0829e2cb",
            "parentcaller": "0x057309dc",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7520
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4344",
            "caller": "0x0829e2cb",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000118"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\CTF\\Compatibility\\NanoCore.exe"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 7521
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829e2cb",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SendMessage"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7522
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829e2cb",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SendMessageW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d45540"
              }
            ],
            "repeated": 0,
            "id": 7523
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829e2cb",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SendMessage"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7524
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829e2cb",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SendMessageW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d45540"
              }
            ],
            "repeated": 0,
            "id": 7525
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4344",
            "caller": "0x0829e2cb",
            "parentcaller": "0x057309dc",
            "category": "misc",
            "api": "SystemParametersInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Action",
                "value": "0x00001022"
              },
              {
                "name": "uiParam",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7526
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4344",
            "caller": "0x0829e2cb",
            "parentcaller": "0x057309dc",
            "category": "misc",
            "api": "SystemParametersInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Action",
                "value": "0x00000042"
              },
              {
                "name": "uiParam",
                "value": "0x0000000c"
              }
            ],
            "repeated": 0,
            "id": 7527
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a6000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7528
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0134e000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7529
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x081a7000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7530
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x085a6000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7531
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7532
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01350000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7533
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01353000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7534
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01356000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7535
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09f00000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7536
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09f00000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 7537
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 7538
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a618",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0829f000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7539
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x085a7000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7540
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829f426",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SetTimer"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d4e970"
              }
            ],
            "repeated": 0,
            "id": 7541
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829f442",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetWindowThreadProcessId"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d4a660"
              }
            ],
            "repeated": 0,
            "id": 7542
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829f442",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "IsWindow"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d4a000"
              }
            ],
            "repeated": 0,
            "id": 7543
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829f442",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ec4000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7544
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829f442",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "KillTimer"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d51b80"
              }
            ],
            "repeated": 0,
            "id": 7545
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4344",
            "caller": "0x07ec0210",
            "parentcaller": "0x0829f938",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0134c000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000b000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7546
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4344",
            "caller": "0x07ec23cc",
            "parentcaller": "0x0829c64b",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "comctl32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x70150000"
              }
            ],
            "repeated": 0,
            "id": 7547
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4344",
            "caller": "0x07ec23cc",
            "parentcaller": "0x0829c64b",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "comctl32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x70150000"
              },
              {
                "name": "FunctionName",
                "value": "RegisterClassNameW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x701a3530"
              }
            ],
            "repeated": 0,
            "id": 7548
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x02f6b54b",
            "category": "misc",
            "api": "SystemParametersInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Action",
                "value": "0x00000042"
              },
              {
                "name": "uiParam",
                "value": "0x0000000c"
              }
            ],
            "repeated": 2,
            "id": 7549
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0134c000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000b000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7550
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0829fd20",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SetForegroundWindow"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d50470"
              }
            ],
            "repeated": 0,
            "id": 7551
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ole32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77060000"
              },
              {
                "name": "FunctionName",
                "value": "OleInitialize"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77083a30"
              }
            ],
            "repeated": 0,
            "id": 7552
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x02f6b456",
            "parentcaller": "0x057309dc",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000008"
              },
              {
                "name": "TokenHandle",
                "value": "0x0000056c"
              }
            ],
            "repeated": 0,
            "id": 7553
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x02f6b456",
            "parentcaller": "0x057309dc",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "29"
              },
              {
                "name": "TokenInformation",
                "value": "\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7554
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x02f6b456",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000056c"
              }
            ],
            "repeated": 0,
            "id": 7555
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x02f6b456",
            "parentcaller": "0x057309dc",
            "category": "synchronization",
            "api": "NtAddAtomEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "AtomName",
                "value": "OleDropTargetInterface"
              },
              {
                "name": "Atom",
                "value": "0x0000c01b"
              }
            ],
            "repeated": 0,
            "id": 7556
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x02f6b456",
            "parentcaller": "0x057309dc",
            "category": "synchronization",
            "api": "NtAddAtomEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "AtomName",
                "value": "OleDropTargetMarshalHwnd"
              },
              {
                "name": "Atom",
                "value": "0x0000c01c"
              }
            ],
            "repeated": 0,
            "id": 7557
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ole32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77060000"
              },
              {
                "name": "FunctionName",
                "value": "CoRegisterMessageFilter"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x7708dc80"
              }
            ],
            "repeated": 0,
            "id": 7558
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetFocus"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d4e960"
              }
            ],
            "repeated": 0,
            "id": 7559
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "SetFocus"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d52160"
              }
            ],
            "repeated": 0,
            "id": 7560
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "misc",
            "api": "GetKeyboardLayout",
            "status": true,
            "return": "0x04190419",
            "arguments": [
              {
                "name": "KeyboardLayout",
                "value": "0x00000419"
              },
              {
                "name": "LanguageName",
                "value": "Russian"
              }
            ],
            "repeated": 0,
            "id": 7561
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000056c"
              }
            ],
            "repeated": 0,
            "id": 7562
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000560"
              }
            ],
            "repeated": 1,
            "id": 7563
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000056c"
              }
            ],
            "repeated": 0,
            "id": 7564
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "misc",
            "api": "ChangeWindowMessageFilter",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "message",
                "value": "49238"
              },
              {
                "name": "dwFlag",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7565
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "misc",
            "api": "ChangeWindowMessageFilter",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "message",
                "value": "49239"
              },
              {
                "name": "dwFlag",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7566
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000056c"
              }
            ],
            "repeated": 0,
            "id": 7567
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000560"
              }
            ],
            "repeated": 1,
            "id": 7568
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000056c"
              }
            ],
            "repeated": 0,
            "id": 7569
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "synchronization",
            "api": "NtOpenMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000056c"
              },
              {
                "name": "MutexName",
                "value": "Local\\MSCTF.Asm.MutexDefault1"
              }
            ],
            "repeated": 0,
            "id": 7570
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7571
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000056c"
              },
              {
                "name": "Milliseconds",
                "value": "2000"
              }
            ],
            "repeated": 0,
            "id": 7572
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtOpenSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000004"
              },
              {
                "name": "ObjectAttributes",
                "value": "Local\\CTF.AsmListCache.FMPDefault1"
              }
            ],
            "repeated": 0,
            "id": 7573
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000560"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fcf34"
              },
              {
                "name": "ViewSize",
                "value": "0x00001000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7574
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7575
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000560"
              }
            ],
            "repeated": 0,
            "id": 7576
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000056c"
              }
            ],
            "repeated": 1,
            "id": 7577
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7578
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000118"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\CTF\\Compatibility\\NanoCore.exe"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 7579
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "misc",
            "api": "GetKeyboardLayout",
            "status": true,
            "return": "0x04190419",
            "arguments": [
              {
                "name": "KeyboardLayout",
                "value": "0x00000419"
              },
              {
                "name": "LanguageName",
                "value": "Russian"
              }
            ],
            "repeated": 1,
            "id": 7580
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "8192"
              }
            ],
            "repeated": 0,
            "id": 7581
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "synchronization",
            "api": "NtOpenMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000056c"
              },
              {
                "name": "MutexName",
                "value": "CicLoadWinStaWinSta0"
              }
            ],
            "repeated": 0,
            "id": 7582
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000056c"
              }
            ],
            "repeated": 0,
            "id": 7583
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "synchronization",
            "api": "NtOpenMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000056c"
              },
              {
                "name": "MutexName",
                "value": "Local\\MSCTF.CtfMonitorInstMutexDefault1"
              }
            ],
            "repeated": 0,
            "id": 7584
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000056c"
              }
            ],
            "repeated": 0,
            "id": 7585
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7586
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000056c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000118"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE"
              }
            ],
            "repeated": 0,
            "id": 7587
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000056c"
              },
              {
                "name": "ValueName",
                "value": "LaunchUserOOBE"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE"
              }
            ],
            "repeated": 0,
            "id": 7588
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000056c"
              }
            ],
            "repeated": 0,
            "id": 7589
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "29"
              },
              {
                "name": "TokenInformation",
                "value": "\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7590
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 7591
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlRegisterFeatureConfigurationChangeNotification"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e724f0"
              }
            ],
            "repeated": 0,
            "id": 7592
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQueryWnfStateData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb40c0"
              }
            ],
            "repeated": 0,
            "id": 7593
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlSubscribeWnfStateChangeNotification"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e70780"
              }
            ],
            "repeated": 0,
            "id": 7594
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDisownModuleHeapAllocation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eac2a0"
              }
            ],
            "repeated": 0,
            "id": 7595
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlQueryFeatureConfiguration"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea52e0"
              }
            ],
            "repeated": 0,
            "id": 7596
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 7597
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x40000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000055c"
              },
              {
                "name": "MutexName",
                "value": "Local\\SM0:7684:168:WilStaging_02"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7598
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000055c"
              },
              {
                "name": "Milliseconds",
                "value": "18446744073709551615"
              },
              {
                "name": "Status",
                "value": "Infinite"
              }
            ],
            "repeated": 0,
            "id": 7599
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7600
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000554"
              },
              {
                "name": "Milliseconds",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7601
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000554"
              }
            ],
            "repeated": 0,
            "id": 7602
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000055c"
              }
            ],
            "repeated": 1,
            "id": 7603
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "synchronization",
            "api": "NtOpenEvent",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "EventName",
                "value": "Local\\1ImmersiveFocusTrackingActiveEvent"
              }
            ],
            "repeated": 0,
            "id": 7604
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09f00000"
              },
              {
                "name": "RegionSize",
                "value": "0x00080000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7605
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09f00000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7606
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "misc",
            "api": "GetKeyboardLayout",
            "status": true,
            "return": "0x04190419",
            "arguments": [
              {
                "name": "KeyboardLayout",
                "value": "0x00000419"
              },
              {
                "name": "LanguageName",
                "value": "Russian"
              }
            ],
            "repeated": 0,
            "id": 7607
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "textinputframework.dll"
              }
            ],
            "repeated": 0,
            "id": 7608
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\textinputframework.dll"
              }
            ],
            "repeated": 0,
            "id": 7609
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\textinputframework.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 7610
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\TextInputFramework.dll"
              }
            ],
            "repeated": 0,
            "id": 7611
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70090000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x000b9000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7612
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "CoreUIComponents.dll"
              }
            ],
            "repeated": 0,
            "id": 7613
          },
          {
            "timestamp": "2026-04-16 20:00:23,158",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "CoreMessaging.dll"
              }
            ],
            "repeated": 0,
            "id": 7614
          },
          {
            "timestamp": "2026-04-16 20:00:23,158",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000558"
              }
            ],
            "repeated": 0,
            "id": 7615
          },
          {
            "timestamp": "2026-04-16 20:00:23,158",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000554"
              }
            ],
            "repeated": 0,
            "id": 7616
          },
          {
            "timestamp": "2026-04-16 20:00:23,158",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\CoreUIComponents.dll"
              }
            ],
            "repeated": 0,
            "id": 7617
          },
          {
            "timestamp": "2026-04-16 20:00:23,158",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\CoreUIComponents.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 7618
          },
          {
            "timestamp": "2026-04-16 20:00:23,346",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\CoreUIComponents.dll"
              }
            ],
            "repeated": 0,
            "id": 7619
          },
          {
            "timestamp": "2026-04-16 20:00:23,346",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000508"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fe10000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x0027e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7620
          },
          {
            "timestamp": "2026-04-16 20:00:23,361",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "ntmarta.dll"
              }
            ],
            "repeated": 0,
            "id": 7621
          },
          {
            "timestamp": "2026-04-16 20:00:23,361",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "CoreMessaging.dll"
              }
            ],
            "repeated": 0,
            "id": 7622
          },
          {
            "timestamp": "2026-04-16 20:00:23,361",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "wintypes.dll"
              }
            ],
            "repeated": 2,
            "id": 7623
          },
          {
            "timestamp": "2026-04-16 20:00:23,361",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 7624
          },
          {
            "timestamp": "2026-04-16 20:00:23,361",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000554"
              }
            ],
            "repeated": 0,
            "id": 7625
          },
          {
            "timestamp": "2026-04-16 20:00:23,361",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\CoreMessaging.dll"
              }
            ],
            "repeated": 0,
            "id": 7626
          },
          {
            "timestamp": "2026-04-16 20:00:23,361",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\CoreMessaging.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 7627
          },
          {
            "timestamp": "2026-04-16 20:00:23,627",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000554"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\CoreMessaging.dll"
              }
            ],
            "repeated": 0,
            "id": 7628
          },
          {
            "timestamp": "2026-04-16 20:00:23,627",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000558"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fce0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x0009b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7629
          },
          {
            "timestamp": "2026-04-16 20:00:24,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000558"
              }
            ],
            "repeated": 0,
            "id": 7630
          },
          {
            "timestamp": "2026-04-16 20:00:24,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000554"
              }
            ],
            "repeated": 0,
            "id": 7631
          },
          {
            "timestamp": "2026-04-16 20:00:24,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\ntmarta.dll"
              }
            ],
            "repeated": 0,
            "id": 7632
          },
          {
            "timestamp": "2026-04-16 20:00:24,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\ntmarta.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 7633
          },
          {
            "timestamp": "2026-04-16 20:00:24,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\ntmarta.dll"
              }
            ],
            "repeated": 0,
            "id": 7634
          },
          {
            "timestamp": "2026-04-16 20:00:24,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x704f0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00029000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7635
          },
          {
            "timestamp": "2026-04-16 20:00:24,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 7636
          },
          {
            "timestamp": "2026-04-16 20:00:24,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 7637
          },
          {
            "timestamp": "2026-04-16 20:00:24,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\CoreMessaging.dll"
              }
            ],
            "repeated": 0,
            "id": 7638
          },
          {
            "timestamp": "2026-04-16 20:00:24,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\WinTypes.dll"
              }
            ],
            "repeated": 0,
            "id": 7639
          },
          {
            "timestamp": "2026-04-16 20:00:24,018",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\WinTypes.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 7640
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000508"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\WinTypes.dll"
              }
            ],
            "repeated": 0,
            "id": 7641
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000054c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fc00000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x000db000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7642
          },
          {
            "timestamp": "2026-04-16 20:00:24,330",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 7643
          },
          {
            "timestamp": "2026-04-16 20:00:24,346",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000508"
              }
            ],
            "repeated": 0,
            "id": 7644
          },
          {
            "timestamp": "2026-04-16 20:00:24,346",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\WinTypes.dll"
              }
            ],
            "repeated": 1,
            "id": 7645
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "35"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\r\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8I\\xc2r\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10J\\xc2r\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x004J\\xc2r\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00<J\\xc2r\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00`J\\xc2r\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04J\\xc2r\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7646
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "misc",
            "api": "RtlDosPathNameToNtPathName_U",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DosFileName",
                "value": "C:\\Windows\\SYSTEM32\\ntmarta.dll"
              }
            ],
            "repeated": 0,
            "id": 7647
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020000",
                "pretty_value": "READ_CONTROL"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\ntmarta.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 7648
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 7649
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\ntmarta"
              },
              {
                "name": "DllBase",
                "value": "0x704f0000"
              }
            ],
            "repeated": 0,
            "id": 7650
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "misc",
            "api": "RtlDosPathNameToNtPathName_U",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DosFileName",
                "value": "C:\\Windows\\System32\\CoreMessaging.dll"
              }
            ],
            "repeated": 0,
            "id": 7651
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020000",
                "pretty_value": "READ_CONTROL"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\CoreMessaging.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 7652
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 7653
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\System32\\CoreMessaging"
              },
              {
                "name": "DllBase",
                "value": "0x6fce0000"
              }
            ],
            "repeated": 0,
            "id": 7654
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "misc",
            "api": "RtlDosPathNameToNtPathName_U",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DosFileName",
                "value": "C:\\Windows\\SYSTEM32\\wintypes.dll"
              }
            ],
            "repeated": 0,
            "id": 7655
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020000",
                "pretty_value": "READ_CONTROL"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\WinTypes.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 7656
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 7657
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\wintypes"
              },
              {
                "name": "DllBase",
                "value": "0x6fc00000"
              }
            ],
            "repeated": 0,
            "id": 7658
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "misc",
            "api": "RtlDosPathNameToNtPathName_U",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DosFileName",
                "value": "C:\\Windows\\System32\\CoreUIComponents.dll"
              }
            ],
            "repeated": 0,
            "id": 7659
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020000",
                "pretty_value": "READ_CONTROL"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\CoreUIComponents.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 7660
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 7661
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\System32\\CoreUIComponents"
              },
              {
                "name": "DllBase",
                "value": "0x6fe10000"
              }
            ],
            "repeated": 0,
            "id": 7662
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "misc",
            "api": "RtlDosPathNameToNtPathName_U",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DosFileName",
                "value": "C:\\Windows\\SYSTEM32\\textinputframework.dll"
              }
            ],
            "repeated": 0,
            "id": 7663
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000054c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020000",
                "pretty_value": "READ_CONTROL"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\textinputframework.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 7664
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000054c"
              }
            ],
            "repeated": 0,
            "id": 7665
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\textinputframework"
              },
              {
                "name": "DllBase",
                "value": "0x70090000"
              }
            ],
            "repeated": 0,
            "id": 7666
          },
          {
            "timestamp": "2026-04-16 20:00:24,455",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\ntmarta"
              },
              {
                "name": "BaseAddress",
                "value": "0x704f0000"
              },
              {
                "name": "InitRoutine",
                "value": "0x704f7e90"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7667
          },
          {
            "timestamp": "2026-04-16 20:00:24,549",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\CoreMessaging"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fce0000"
              },
              {
                "name": "InitRoutine",
                "value": "0x6fd40f00"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7668
          },
          {
            "timestamp": "2026-04-16 20:00:24,549",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\WinTypes"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fc00000"
              },
              {
                "name": "InitRoutine",
                "value": "0x6fc78560"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7669
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\CoreUIComponents"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fe10000"
              },
              {
                "name": "InitRoutine",
                "value": "0x6fe6e960"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7670
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\TextInputFramework"
              },
              {
                "name": "BaseAddress",
                "value": "0x70090000"
              },
              {
                "name": "InitRoutine",
                "value": "0x700d06a0"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7671
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7672
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000534"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000118"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\CTF\\"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\"
              }
            ],
            "repeated": 0,
            "id": 7673
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000534"
              },
              {
                "name": "ValueName",
                "value": "EnableAnchorContext"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\CTF\\EnableAnchorContext"
              }
            ],
            "repeated": 0,
            "id": 7674
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000534"
              }
            ],
            "repeated": 0,
            "id": 7675
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec4016",
            "category": "misc",
            "api": "GetKeyboardLayout",
            "status": true,
            "return": "0x04190419",
            "arguments": [
              {
                "name": "KeyboardLayout",
                "value": "0x00000419"
              },
              {
                "name": "LanguageName",
                "value": "Russian"
              }
            ],
            "repeated": 0,
            "id": 7676
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "USER32"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              }
            ],
            "repeated": 0,
            "id": 7677
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x057309dc",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SystemResources\\USER32.dll.mun"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 1,
            "id": 7678
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetKeyboardLayout"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d4f170"
              }
            ],
            "repeated": 0,
            "id": 7679
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x057309dc",
            "category": "misc",
            "api": "GetKeyboardLayout",
            "status": true,
            "return": "0x04190419",
            "arguments": [
              {
                "name": "KeyboardLayout",
                "value": "0x00000419"
              },
              {
                "name": "LanguageName",
                "value": "Russian"
              }
            ],
            "repeated": 1,
            "id": 7680
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "InvalidateRect"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d51ac0"
              }
            ],
            "repeated": 0,
            "id": 7681
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "PostMessage"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7682
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "PostMessageW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d45490"
              }
            ],
            "repeated": 0,
            "id": 7683
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4344",
            "caller": "0x07ec4173",
            "parentcaller": "0x057309dc",
            "category": "windows",
            "api": "PostMessageW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "WindowHandle",
                "value": "0x000601c0"
              },
              {
                "name": "Message",
                "value": "0x0000c1b4"
              }
            ],
            "repeated": 0,
            "id": 7684
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipCreateFromHWND"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a081d0"
              }
            ],
            "repeated": 0,
            "id": 7685
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipFillRectangleI"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709e5370"
              }
            ],
            "repeated": 0,
            "id": 7686
          },
          {
            "timestamp": "2026-04-16 20:00:24,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetDC"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d4e9f0"
              }
            ],
            "repeated": 0,
            "id": 7687
          },
          {
            "timestamp": "2026-04-16 20:00:24,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "EnumDisplayMonitors"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d51440"
              }
            ],
            "repeated": 0,
            "id": 7688
          },
          {
            "timestamp": "2026-04-16 20:00:24,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "ReleaseDC"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d4e390"
              }
            ],
            "repeated": 0,
            "id": 7689
          },
          {
            "timestamp": "2026-04-16 20:00:24,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetCurrentObject"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86d50"
              }
            ],
            "repeated": 0,
            "id": 7690
          },
          {
            "timestamp": "2026-04-16 20:00:24,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "SaveDC"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86f40"
              }
            ],
            "repeated": 0,
            "id": 7691
          },
          {
            "timestamp": "2026-04-16 20:00:24,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetNearestColor"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a8af40"
              }
            ],
            "repeated": 0,
            "id": 7692
          },
          {
            "timestamp": "2026-04-16 20:00:24,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "CreateSolidBrush"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a87340"
              }
            ],
            "repeated": 0,
            "id": 7693
          },
          {
            "timestamp": "2026-04-16 20:00:24,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "FillRect"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d32ed0"
              }
            ],
            "repeated": 0,
            "id": 7694
          },
          {
            "timestamp": "2026-04-16 20:00:24,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "DeleteObject"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a85780"
              }
            ],
            "repeated": 0,
            "id": 7695
          },
          {
            "timestamp": "2026-04-16 20:00:24,814",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "RestoreDC"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86f00"
              }
            ],
            "repeated": 0,
            "id": 7696
          },
          {
            "timestamp": "2026-04-16 20:00:24,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "PeekMessage"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7697
          },
          {
            "timestamp": "2026-04-16 20:00:24,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "PeekMessageW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d4b400"
              }
            ],
            "repeated": 0,
            "id": 7698
          },
          {
            "timestamp": "2026-04-16 20:00:24,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "IsWindowUnicode"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d45ac0"
              }
            ],
            "repeated": 0,
            "id": 7699
          },
          {
            "timestamp": "2026-04-16 20:00:24,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetMessageW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d4b390"
              }
            ],
            "repeated": 0,
            "id": 7700
          },
          {
            "timestamp": "2026-04-16 20:00:24,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "TranslateMessage"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d4a1d0"
              }
            ],
            "repeated": 0,
            "id": 7701
          },
          {
            "timestamp": "2026-04-16 20:00:24,830",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0802c291",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "DispatchMessageW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d456b0"
              }
            ],
            "repeated": 0,
            "id": 7702
          },
          {
            "timestamp": "2026-04-16 20:00:24,877",
            "thread_id": "4344",
            "caller": "0x0829fe48",
            "parentcaller": "0x0829fe2a",
            "category": "threading",
            "api": "NtCreateThreadEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x000005c8"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "StartAddress",
                "value": "0x7394890c"
              },
              {
                "name": "Parameter",
                "value": "0x012f6638"
              },
              {
                "name": "CreateFlags",
                "value": "0x00000001"
              },
              {
                "name": "ThreadId",
                "value": "3172"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "Module",
                "value": "mscorwks.dll"
              }
            ],
            "repeated": 0,
            "id": 7703
          },
          {
            "timestamp": "2026-04-16 20:00:24,877",
            "thread_id": "4344",
            "caller": "0x0829fe48",
            "parentcaller": "0x0829fe2a",
            "category": "threading",
            "api": "CreateThread",
            "status": true,
            "return": "0x000005c8",
            "arguments": [
              {
                "name": "StartRoutine",
                "value": "0x7394890c"
              },
              {
                "name": "ModuleName",
                "value": "mscorwks.dll"
              },
              {
                "name": "Parameter",
                "value": "0x012f6638"
              },
              {
                "name": "CreationFlags",
                "value": "0x00000004"
              },
              {
                "name": "ThreadId",
                "value": "3172"
              }
            ],
            "repeated": 0,
            "id": 7704
          },
          {
            "timestamp": "2026-04-16 20:00:24,877",
            "thread_id": "4344",
            "caller": "0x0829fe48",
            "parentcaller": "0x0829fe2a",
            "category": "threading",
            "api": "NtResumeThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x000005c8"
              },
              {
                "name": "SuspendCount",
                "value": "1"
              },
              {
                "name": "ThreadId",
                "value": "3172"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 7705
          },
          {
            "timestamp": "2026-04-16 20:00:24,877",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec45be",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": true,
            "return": "0x00000400",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "78"
              }
            ],
            "repeated": 0,
            "id": 7706
          },
          {
            "timestamp": "2026-04-16 20:00:24,877",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec45be",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": true,
            "return": "0x00000300",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "79"
              }
            ],
            "repeated": 0,
            "id": 7707
          },
          {
            "timestamp": "2026-04-16 20:00:24,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "BeginPaint"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d51030"
              }
            ],
            "repeated": 0,
            "id": 7708
          },
          {
            "timestamp": "2026-04-16 20:00:24,877",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipCreateHalftonePalette"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a10730"
              }
            ],
            "repeated": 0,
            "id": 7709
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "SelectPalette"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a84290"
              }
            ],
            "repeated": 0,
            "id": 7710
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "EndPaint"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d51430"
              }
            ],
            "repeated": 0,
            "id": 7711
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2c18",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 7712
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f33000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7713
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2c18",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 1,
            "id": 7714
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x77ea64d6",
            "parentcaller": "0x77ea63e1",
            "category": "threading",
            "api": "NtTestAlert",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7715
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7716
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x7386aa35",
            "parentcaller": "0x7386aa9a",
            "category": "threading",
            "api": "SetThreadStackGuarantee",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "InputSize",
                "value": "4096"
              },
              {
                "name": "OutputSize",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7717
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x772761f1",
            "parentcaller": "0x7386ab1a",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0a341000"
              },
              {
                "name": "RegionSize",
                "value": "0x000fa000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7718
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x772627d9",
            "parentcaller": "0x737e58bd",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7719
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x772627d9",
            "parentcaller": "0x737e58bd",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000460"
              },
              {
                "name": "Milliseconds",
                "value": "40000"
              }
            ],
            "repeated": 0,
            "id": 7720
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05c42000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7721
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x772765db",
            "parentcaller": "0x73947ec0",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x000005c8"
              },
              {
                "name": "ThreadInformationClass",
                "value": "0",
                "pretty_value": "ThreadBasicInformation"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x03\\x01\\x00\\x00\\x00P\\xe5\\x00\\x04\\x1e\\x00\\x00d\\x0c\\x00\\x00\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "3172"
              }
            ],
            "repeated": 0,
            "id": 7722
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "CreateCompatibleDC"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86c90"
              }
            ],
            "repeated": 0,
            "id": 7723
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetObjectType"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a83ab0"
              }
            ],
            "repeated": 0,
            "id": 7724
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "CreateCompatibleBitmap"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86f70"
              }
            ],
            "repeated": 0,
            "id": 7725
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetDIBits"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86fb0"
              }
            ],
            "repeated": 0,
            "id": 7726
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "DeleteObject"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a85780"
              }
            ],
            "repeated": 0,
            "id": 7727
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "CreateDIBSection"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a85d80"
              }
            ],
            "repeated": 0,
            "id": 7728
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "SelectObject"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86ba0"
              }
            ],
            "repeated": 0,
            "id": 7729
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipTranslateWorldTransform"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a07380"
              }
            ],
            "repeated": 0,
            "id": 7730
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipSetClipRectI"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709cbe70"
              }
            ],
            "repeated": 0,
            "id": 7731
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipCreateMatrix"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a03ad0"
              }
            ],
            "repeated": 0,
            "id": 7732
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetWorldTransform"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a0dcc0"
              }
            ],
            "repeated": 0,
            "id": 7733
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipIsMatrixIdentity"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a0ed80"
              }
            ],
            "repeated": 0,
            "id": 7734
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec471e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "LocalAlloc"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad0460"
              }
            ],
            "repeated": 0,
            "id": 7735
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetMatrixElements"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a0cb30"
              }
            ],
            "repeated": 0,
            "id": 7736
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipDeleteMatrix"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a09ad0"
              }
            ],
            "repeated": 0,
            "id": 7737
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipCreateRegion"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709f88c0"
              }
            ],
            "repeated": 0,
            "id": 7738
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetClip"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709f87a0"
              }
            ],
            "repeated": 0,
            "id": 7739
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7740
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipIsInfiniteRegion"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709f86b0"
              }
            ],
            "repeated": 0,
            "id": 7741
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipSaveGraphics"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a104f0"
              }
            ],
            "repeated": 0,
            "id": 7742
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipRestoreGraphics"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a424b0"
              }
            ],
            "repeated": 0,
            "id": 7743
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipDeleteRegion"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a0eb80"
              }
            ],
            "repeated": 0,
            "id": 7744
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0a150000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7745
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 7746
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x7731327c",
            "parentcaller": "0x77ee4a78",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "63"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7747
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec14d7",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7748
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7749
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 7750
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec1317",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              }
            ],
            "repeated": 1,
            "id": 7751
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec14d7",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7752
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7753
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 7754
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec1317",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              }
            ],
            "repeated": 1,
            "id": 7755
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec14d7",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7756
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7757
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 7758
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec1317",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              }
            ],
            "repeated": 1,
            "id": 7759
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec14d7",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7760
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7761
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 7762
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec1317",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              }
            ],
            "repeated": 1,
            "id": 7763
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec14d7",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              },
              {
                "name": "MutexName",
                "value": "Global\\.net clr networking"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7764
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7765
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "3172",
            "caller": "0x07ec15c2",
            "parentcaller": "0x00000000",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              },
              {
                "name": "Milliseconds",
                "value": "500"
              }
            ],
            "repeated": 0,
            "id": 7766
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "3172",
            "caller": "0x07ec1317",
            "parentcaller": "0x00000000",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              }
            ],
            "repeated": 1,
            "id": 7767
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "3172",
            "caller": "0x73a7df9e",
            "parentcaller": "0x73a82c37",
            "category": "system",
            "api": "IsDebuggerPresent",
            "status": false,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7768
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "3172",
            "caller": "0x77260848",
            "parentcaller": "0x73950b42",
            "category": "process",
            "api": "NtOpenProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x000005d0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00120453",
                "pretty_value": "PROCESS_TERMINATE|PROCESS_CREATE_THREAD|PROCESS_VM_READ|PROCESS_DUP_HANDLE|PROCESS_QUERY_INFORMATION|SYNCHRONIZE|0x00020000"
              },
              {
                "name": "ProcessIdentifier",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 7769
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "3172",
            "caller": "0x7726269a",
            "parentcaller": "0x7384680e",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              }
            ],
            "repeated": 0,
            "id": 7770
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "3172",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000270"
              },
              {
                "name": "Milliseconds",
                "value": "18446744073709551615"
              },
              {
                "name": "Status",
                "value": "Infinite"
              }
            ],
            "repeated": 0,
            "id": 7771
          },
          {
            "timestamp": "2026-04-16 20:00:24,955",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7772
          },
          {
            "timestamp": "2026-04-16 20:00:24,955",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0a160000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7773
          },
          {
            "timestamp": "2026-04-16 20:00:24,955",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0a160000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7774
          },
          {
            "timestamp": "2026-04-16 20:00:24,955",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x085a8000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7775
          },
          {
            "timestamp": "2026-04-16 20:00:24,955",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0a150000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 7776
          },
          {
            "timestamp": "2026-04-16 20:00:24,955",
            "thread_id": "4344",
            "caller": "0x02f7a78f",
            "parentcaller": "0x07c6a5e9",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 7777
          },
          {
            "timestamp": "2026-04-16 20:00:24,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0a16051a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipSetPixelOffsetMode"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709e5f00"
              }
            ],
            "repeated": 0,
            "id": 7778
          },
          {
            "timestamp": "2026-04-16 20:00:24,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0a16053a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipSetTextRenderingHint"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a45040"
              }
            ],
            "repeated": 0,
            "id": 7779
          },
          {
            "timestamp": "2026-04-16 20:00:24,955",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0a16055a",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipSetSmoothingMode"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709cdd60"
              }
            ],
            "repeated": 0,
            "id": 7780
          },
          {
            "timestamp": "2026-04-16 20:00:24,955",
            "thread_id": "4344",
            "caller": "0x07ec422d",
            "parentcaller": "0x0a1605b0",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09df3000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7781
          },
          {
            "timestamp": "2026-04-16 20:00:25,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0a160600",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipDrawEllipseI"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a39500"
              }
            ],
            "repeated": 0,
            "id": 7782
          },
          {
            "timestamp": "2026-04-16 20:00:25,018",
            "thread_id": "4344",
            "caller": "0x07ec422d",
            "parentcaller": "0x0a160600",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09df5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7783
          },
          {
            "timestamp": "2026-04-16 20:00:25,018",
            "thread_id": "4344",
            "caller": "0x07ec422d",
            "parentcaller": "0x0a160600",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09df6000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7784
          },
          {
            "timestamp": "2026-04-16 20:00:25,018",
            "thread_id": "4344",
            "caller": "0x07ec422d",
            "parentcaller": "0x0a160600",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09df7000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7785
          },
          {
            "timestamp": "2026-04-16 20:00:25,018",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0a160636",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipDrawArc"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a38510"
              }
            ],
            "repeated": 0,
            "id": 7786
          },
          {
            "timestamp": "2026-04-16 20:00:25,033",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0a160350",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipMeasureString"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a01fe0"
              }
            ],
            "repeated": 0,
            "id": 7787
          },
          {
            "timestamp": "2026-04-16 20:00:25,033",
            "thread_id": "4344",
            "caller": "0x07ec4cb2",
            "parentcaller": "0x0a160350",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "4096"
              }
            ],
            "repeated": 0,
            "id": 7788
          },
          {
            "timestamp": "2026-04-16 20:00:25,033",
            "thread_id": "4344",
            "caller": "0x07ec4cb2",
            "parentcaller": "0x0a160350",
            "category": "misc",
            "api": "SystemParametersInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Action",
                "value": "0x00002012"
              },
              {
                "name": "uiParam",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7789
          },
          {
            "timestamp": "2026-04-16 20:00:25,111",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x0a160194",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipDrawString"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a027b0"
              }
            ],
            "repeated": 0,
            "id": 7790
          },
          {
            "timestamp": "2026-04-16 20:00:25,111",
            "thread_id": "4344",
            "caller": "0x07ec4d80",
            "parentcaller": "0x0a160194",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "4096"
              }
            ],
            "repeated": 0,
            "id": 7791
          },
          {
            "timestamp": "2026-04-16 20:00:25,111",
            "thread_id": "4344",
            "caller": "0x07ec4d80",
            "parentcaller": "0x0a160194",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000005d0"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0a440000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fdd8c"
              },
              {
                "name": "ViewSize",
                "value": "0x00800000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7792
          },
          {
            "timestamp": "2026-04-16 20:00:25,111",
            "thread_id": "4344",
            "caller": "0x07ec4d80",
            "parentcaller": "0x0a160194",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              }
            ],
            "repeated": 0,
            "id": 7793
          },
          {
            "timestamp": "2026-04-16 20:00:25,111",
            "thread_id": "4344",
            "caller": "0x07ec4d80",
            "parentcaller": "0x0a160194",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 7794
          },
          {
            "timestamp": "2026-04-16 20:00:25,111",
            "thread_id": "4344",
            "caller": "0x07ec4d80",
            "parentcaller": "0x0a160194",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ad000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7795
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x07ec4d80",
            "parentcaller": "0x0a160194",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ad000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7796
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x07ec4d80",
            "parentcaller": "0x0a160194",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "24"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x05\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4344"
              }
            ],
            "repeated": 0,
            "id": 7797
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x07ec4d80",
            "parentcaller": "0x0a160194",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7798
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x07ec4d80",
            "parentcaller": "0x0a160194",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09b77000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7799
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x07ec4d80",
            "parentcaller": "0x0a160194",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x088ad000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7800
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetDC"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709c5ec0"
              }
            ],
            "repeated": 0,
            "id": 7801
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "BitBlt"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86ce0"
              }
            ],
            "repeated": 0,
            "id": 7802
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipReleaseDC"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x709c5cb0"
              }
            ],
            "repeated": 0,
            "id": 7803
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "DeleteDC"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86790"
              }
            ],
            "repeated": 0,
            "id": 7804
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipCombineRegionRegion"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a36120"
              }
            ],
            "repeated": 0,
            "id": 7805
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetRegionHRgn"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a3ef60"
              }
            ],
            "repeated": 0,
            "id": 7806
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "CreateRectRgn"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86260"
              }
            ],
            "repeated": 0,
            "id": 7807
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetClipRgn"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86ff0"
              }
            ],
            "repeated": 0,
            "id": 7808
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "SelectClipRgn"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a85e10"
              }
            ],
            "repeated": 0,
            "id": 7809
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "OffsetViewportOrgEx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a882a0"
              }
            ],
            "repeated": 0,
            "id": 7810
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x07ec2547",
            "parentcaller": "0x057309dc",
            "category": "misc",
            "api": "SystemParametersInfoW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Action",
                "value": "0x0000100a"
              },
              {
                "name": "uiParam",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7811
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetFamilyName"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a3c120"
              }
            ],
            "repeated": 0,
            "id": 7812
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "CreateCompatibleDC"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86c90"
              }
            ],
            "repeated": 0,
            "id": 7813
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetDeviceCaps"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a85ec0"
              }
            ],
            "repeated": 0,
            "id": 7814
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "CreateFontIndirect"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7815
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "CreateFontIndirectW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a85dd0"
              }
            ],
            "repeated": 0,
            "id": 7816
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetObject"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7817
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetObjectW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86c50"
              }
            ],
            "repeated": 0,
            "id": 7818
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "SelectObject"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86ba0"
              }
            ],
            "repeated": 0,
            "id": 7819
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetMapMode"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a88220"
              }
            ],
            "repeated": 0,
            "id": 7820
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetTextMetricsW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86e40"
              }
            ],
            "repeated": 0,
            "id": 7821
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "DrawTextExW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d3c2d0"
              }
            ],
            "repeated": 0,
            "id": 7822
          },
          {
            "timestamp": "2026-04-16 20:00:25,189",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "DrawTextExWW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7823
          },
          {
            "timestamp": "2026-04-16 20:00:25,205",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x07ec5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7824
          },
          {
            "timestamp": "2026-04-16 20:00:25,205",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "GetUserDefaultLCID",
            "status": true,
            "return": "0x00000419",
            "arguments": [
              {
                "name": "SystemDefaultLangID",
                "value": "0x00000419"
              },
              {
                "name": "LanguageName",
                "value": "Russian"
              }
            ],
            "repeated": 0,
            "id": 7825
          },
          {
            "timestamp": "2026-04-16 20:00:25,205",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7826
          },
          {
            "timestamp": "2026-04-16 20:00:25,205",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005d0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000118"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0"
              }
            ],
            "repeated": 0,
            "id": 7827
          },
          {
            "timestamp": "2026-04-16 20:00:25,205",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005d0"
              },
              {
                "name": "ValueName",
                "value": "Disable"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable"
              }
            ],
            "repeated": 0,
            "id": 7828
          },
          {
            "timestamp": "2026-04-16 20:00:25,205",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000005d0"
              },
              {
                "name": "ValueName",
                "value": "DataFilePath"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "C:\\Windows\\Fonts\\staticcache.dat"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath"
              }
            ],
            "repeated": 0,
            "id": 7829
          },
          {
            "timestamp": "2026-04-16 20:00:25,205",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000005d0"
              }
            ],
            "repeated": 0,
            "id": 7830
          },
          {
            "timestamp": "2026-04-16 20:00:25,205",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000005d0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\staticcache.dat"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7831
          },
          {
            "timestamp": "2026-04-16 20:00:25,205",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000005d0"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\StaticCache.dat"
              },
              {
                "name": "FileInformationClass",
                "value": "5",
                "pretty_value": "FileStandardInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x00\\x00&\\x01\\x00\\x00\\x00\\x00\\x00\\x00&\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7832
          },
          {
            "timestamp": "2026-04-16 20:00:25,205",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000005d0"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\Fonts\\StaticCache.dat"
              },
              {
                "name": "Buffer",
                "value": "\\x1a\\x83W\\xa5\\x02\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00$\\x01\\x00\\x00$)\\x00\\x00\\x00\\x00\\x02\\x00\\xbe\\x02\\x00\\x00<\\x00\\x00\\x00$!\\x00\\x00L)\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00"
              },
              {
                "name": "Length",
                "value": "60"
              }
            ],
            "repeated": 0,
            "id": 7833
          },
          {
            "timestamp": "2026-04-16 20:00:25,205",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000005d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000005d0"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Fonts\\StaticCache.dat"
              }
            ],
            "repeated": 0,
            "id": 7834
          },
          {
            "timestamp": "2026-04-16 20:00:25,205",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000005d4"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0ac40000"
              },
              {
                "name": "SectionOffset",
                "value": "0x010fcc30"
              },
              {
                "name": "ViewSize",
                "value": "0x01260000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7835
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "3964",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7836
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "3964",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              },
              {
                "name": "Milliseconds",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7837
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "3964",
            "caller": "0x7726269a",
            "parentcaller": "0x7384680e",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e4"
              }
            ],
            "repeated": 0,
            "id": 7838
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "3964",
            "caller": "0x7726269a",
            "parentcaller": "0x7384680e",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e0"
              }
            ],
            "repeated": 0,
            "id": 7839
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "3964",
            "caller": "0x7726269a",
            "parentcaller": "0x7384680e",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004b8"
              }
            ],
            "repeated": 0,
            "id": 7840
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "3964",
            "caller": "0x7726269a",
            "parentcaller": "0x7384680e",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004cc"
              }
            ],
            "repeated": 0,
            "id": 7841
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "3964",
            "caller": "0x7726269a",
            "parentcaller": "0x7384680e",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004c8"
              }
            ],
            "repeated": 0,
            "id": 7842
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "3964",
            "caller": "0x7726269a",
            "parentcaller": "0x7384680e",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004c4"
              }
            ],
            "repeated": 0,
            "id": 7843
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "3964",
            "caller": "0x7726269a",
            "parentcaller": "0x7384680e",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004c0"
              }
            ],
            "repeated": 0,
            "id": 7844
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "3964",
            "caller": "0x7726269a",
            "parentcaller": "0x7384680e",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              }
            ],
            "repeated": 0,
            "id": 7845
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01358000"
              },
              {
                "name": "RegionSize",
                "value": "0x00008000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7846
          },
          {
            "timestamp": "2026-04-16 20:00:25,330",
            "thread_id": "3172",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05c52000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7847
          },
          {
            "timestamp": "2026-04-16 20:00:25,330",
            "thread_id": "3172",
            "caller": "0x77264429",
            "parentcaller": "0x738c3263",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Globalization\\en-us.nlp"
              }
            ],
            "repeated": 0,
            "id": 7848
          },
          {
            "timestamp": "2026-04-16 20:00:25,330",
            "thread_id": "3172",
            "caller": "0x07ec07b8",
            "parentcaller": "0x00000000",
            "category": "filesystem",
            "api": "NtQueryFullAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.config"
              }
            ],
            "repeated": 0,
            "id": 7849
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000003b0"
              },
              {
                "name": "SubKey",
                "value": "policy.2.0.mscorlib.resources_ru-RU_b77a5c561934e089"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.mscorlib.resources_ru-RU_b77a5c561934e089"
              }
            ],
            "repeated": 0,
            "id": 7850
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\5e8c75c\\de7da15"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5e8c75c\\de7da15"
              }
            ],
            "repeated": 0,
            "id": 7851
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x77264429",
            "parentcaller": "0x7383db34",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib.resources\\2.0.0.0_ru-RU_b77a5c561934e089"
              }
            ],
            "repeated": 0,
            "id": 7852
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x77264429",
            "parentcaller": "0x7383db34",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\mscorlib.resources\\2.0.0.0_ru-RU_b77a5c561934e089"
              }
            ],
            "repeated": 0,
            "id": 7853
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x77264429",
            "parentcaller": "0x7383db34",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC\\mscorlib.resources\\2.0.0.0_ru-RU_b77a5c561934e089"
              }
            ],
            "repeated": 0,
            "id": 7854
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x73910bc8",
            "parentcaller": "0x73912504",
            "category": "filesystem",
            "api": "UrlCanonicalizeW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Url",
                "value": "C:/Users/cape/AppData/Local/Temp/"
              }
            ],
            "repeated": 0,
            "id": 7855
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01360000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7856
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x73910bc8",
            "parentcaller": "0x7391218d",
            "category": "filesystem",
            "api": "UrlCanonicalizeW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Url",
                "value": "C:/Users/cape/AppData/Local/Temp/ru-RU/mscorlib.resources.DLL"
              }
            ],
            "repeated": 0,
            "id": 7857
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01364000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7858
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x73910bc8",
            "parentcaller": "0x7391218d",
            "category": "filesystem",
            "api": "UrlCanonicalizeW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Url",
                "value": "C:/Users/cape/AppData/Local/Temp/ru-RU/mscorlib.resources/mscorlib.resources.DLL"
              }
            ],
            "repeated": 0,
            "id": 7859
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x73910bc8",
            "parentcaller": "0x73912504",
            "category": "filesystem",
            "api": "UrlCanonicalizeW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Url",
                "value": "C:/Users/cape/AppData/Local/Temp/"
              }
            ],
            "repeated": 0,
            "id": 7860
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x73910bc8",
            "parentcaller": "0x7391218d",
            "category": "filesystem",
            "api": "UrlCanonicalizeW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Url",
                "value": "C:/Users/cape/AppData/Local/Temp/ru-RU/mscorlib.resources.EXE"
              }
            ],
            "repeated": 0,
            "id": 7861
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x73910bc8",
            "parentcaller": "0x7391218d",
            "category": "filesystem",
            "api": "UrlCanonicalizeW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Url",
                "value": "C:/Users/cape/AppData/Local/Temp/ru-RU/mscorlib.resources/mscorlib.resources.EXE"
              }
            ],
            "repeated": 0,
            "id": 7862
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x77264429",
            "parentcaller": "0x7383db34",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ru-RU\\mscorlib.resources.dll"
              }
            ],
            "repeated": 0,
            "id": 7863
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x77264429",
            "parentcaller": "0x7383db34",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ru-RU\\mscorlib.resources\\mscorlib.resources.dll"
              }
            ],
            "repeated": 0,
            "id": 7864
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x77264429",
            "parentcaller": "0x7383db34",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ru-RU\\mscorlib.resources.exe"
              }
            ],
            "repeated": 0,
            "id": 7865
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x77264429",
            "parentcaller": "0x7383db34",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ru-RU\\mscorlib.resources\\mscorlib.resources.exe"
              }
            ],
            "repeated": 0,
            "id": 7866
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x77264429",
            "parentcaller": "0x738c3263",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Globalization\\ru.nlp"
              }
            ],
            "repeated": 0,
            "id": 7867
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x000003b0"
              },
              {
                "name": "SubKey",
                "value": "policy.2.0.mscorlib.resources_ru_b77a5c561934e089"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.mscorlib.resources_ru_b77a5c561934e089"
              }
            ],
            "repeated": 0,
            "id": 7868
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x738fbaa0",
            "parentcaller": "0x7383d9eb",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x00000368"
              },
              {
                "name": "SubKey",
                "value": "NI\\5e8c75c\\2f231edf"
              },
              {
                "name": "Handle",
                "value": "0x00000000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5e8c75c\\2f231edf"
              }
            ],
            "repeated": 0,
            "id": 7869
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x77264429",
            "parentcaller": "0x7383db34",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib.resources\\2.0.0.0_ru_b77a5c561934e089"
              }
            ],
            "repeated": 0,
            "id": 7870
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x77264429",
            "parentcaller": "0x7383db34",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\mscorlib.resources\\2.0.0.0_ru_b77a5c561934e089"
              }
            ],
            "repeated": 0,
            "id": 7871
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x77264429",
            "parentcaller": "0x7383db34",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\mscorlib.resources\\2.0.0.0_ru_b77a5c561934e089\\mscorlib.resources.dll"
              }
            ],
            "repeated": 0,
            "id": 7872
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 7873
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "3172",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\mscorlib.resources\\2.0.0.0_ru_b77a5c561934e089\\mscorlib.resources.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7874
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "3172",
            "caller": "0x77260e58",
            "parentcaller": "0x77260abe",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004bc"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\mscorlib.Resources\\2.0.0.0_ru_b77a5c561934e089\\mscorlib.resources.dll"
              }
            ],
            "repeated": 0,
            "id": 7875
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "3172",
            "caller": "0x7727675b",
            "parentcaller": "0x7727669e",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x40000003",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004c8"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0a170000"
              },
              {
                "name": "SectionOffset",
                "value": "0x0a43b278"
              },
              {
                "name": "ViewSize",
                "value": "0x00064000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7876
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "3172",
            "caller": "0x7727675b",
            "parentcaller": "0x7727669e",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x40000003",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004c8"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0bea0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x0a43b278"
              },
              {
                "name": "ViewSize",
                "value": "0x00064000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000001",
                "pretty_value": "PAGE_NOACCESS"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7877
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "3172",
            "caller": "0x77270c75",
            "parentcaller": "0x738472ac",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0a170000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7878
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x01352000"
              },
              {
                "name": "RegionSize",
                "value": "0x00013000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 7879
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "TextShaping.dll"
              }
            ],
            "repeated": 0,
            "id": 7880
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\TextShaping.dll"
              }
            ],
            "repeated": 0,
            "id": 7881
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\TextShaping.dll"
              }
            ],
            "repeated": 0,
            "id": 7882
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\TextShaping.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 7883
          },
          {
            "timestamp": "2026-04-16 20:00:25,424",
            "thread_id": "3172",
            "caller": "0x76ad1e6a",
            "parentcaller": "0x7383a7ab",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 7884
          },
          {
            "timestamp": "2026-04-16 20:00:25,424",
            "thread_id": "3172",
            "caller": "0x77264566",
            "parentcaller": "0x7383bded",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": false,
            "return": "0xffffffffffffffff",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\mscorlib.resources\\2.0.0.0_ru_b77a5c561934e089\\mscorlib.resources.INI"
              }
            ],
            "repeated": 0,
            "id": 7885
          },
          {
            "timestamp": "2026-04-16 20:00:25,424",
            "thread_id": "3172",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f91000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7886
          },
          {
            "timestamp": "2026-04-16 20:00:25,424",
            "thread_id": "3172",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\mscorlib.resources\\2.0.0.0_ru_b77a5c561934e089\\mscorlib.resources.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7887
          },
          {
            "timestamp": "2026-04-16 20:00:25,424",
            "thread_id": "3172",
            "caller": "0x7727a9e7",
            "parentcaller": "0x73848e80",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004bc"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\mscorlib.Resources\\2.0.0.0_ru_b77a5c561934e089\\mscorlib.resources.dll"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 7888
          },
          {
            "timestamp": "2026-04-16 20:00:25,424",
            "thread_id": "3172",
            "caller": "0x7727a9e7",
            "parentcaller": "0x73848e91",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004b8"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\mscorlib.Resources\\2.0.0.0_ru_b77a5c561934e089\\mscorlib.resources.dll"
              },
              {
                "name": "FileInformationClass",
                "value": "18",
                "pretty_value": "FileAllInformation"
              },
              {
                "name": "FileInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 7889
          },
          {
            "timestamp": "2026-04-16 20:00:25,611",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000004cc"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\TextShaping.dll"
              }
            ],
            "repeated": 0,
            "id": 7890
          },
          {
            "timestamp": "2026-04-16 20:00:25,674",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004c4"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb10000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00094000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7891
          },
          {
            "timestamp": "2026-04-16 20:00:25,674",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004c4"
              }
            ],
            "repeated": 0,
            "id": 7892
          },
          {
            "timestamp": "2026-04-16 20:00:25,674",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004cc"
              }
            ],
            "repeated": 0,
            "id": 7893
          },
          {
            "timestamp": "2026-04-16 20:00:25,674",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "misc",
            "api": "RtlDosPathNameToNtPathName_U",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DosFileName",
                "value": "C:\\Windows\\SYSTEM32\\TextShaping.dll"
              }
            ],
            "repeated": 0,
            "id": 7894
          },
          {
            "timestamp": "2026-04-16 20:00:25,674",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020000",
                "pretty_value": "READ_CONTROL"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\TextShaping.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 7895
          },
          {
            "timestamp": "2026-04-16 20:00:25,674",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004cc"
              }
            ],
            "repeated": 0,
            "id": 7896
          },
          {
            "timestamp": "2026-04-16 20:00:25,674",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\TextShaping"
              },
              {
                "name": "DllBase",
                "value": "0x6fb10000"
              }
            ],
            "repeated": 0,
            "id": 7897
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\TextShaping"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb10000"
              },
              {
                "name": "InitRoutine",
                "value": "0x6fb9f2b0"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7898
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3172",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000002"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\mscorlib.resources\\2.0.0.0_ru_b77a5c561934e089\\mscorlib.resources.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x0a170000"
              }
            ],
            "repeated": 0,
            "id": 7899
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3172",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x0a170000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\assembly\\GAC_MSIL\\mscorlib.resources\\2.0.0.0_ru_b77a5c561934e089\\mscorlib.resources.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000009"
              }
            ],
            "repeated": 0,
            "id": 7900
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3172",
            "caller": "0x7726269a",
            "parentcaller": "0x7384680e",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004b8"
              }
            ],
            "repeated": 0,
            "id": 7901
          },
          {
            "timestamp": "2026-04-16 20:00:25,752",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7902
          },
          {
            "timestamp": "2026-04-16 20:00:25,752",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000118"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback"
              }
            ],
            "repeated": 0,
            "id": 7903
          },
          {
            "timestamp": "2026-04-16 20:00:25,752",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ValueName",
                "value": "Plane1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1"
              }
            ],
            "repeated": 0,
            "id": 7904
          },
          {
            "timestamp": "2026-04-16 20:00:25,752",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ValueName",
                "value": "Plane2"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "SimSun-ExtB"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2"
              }
            ],
            "repeated": 1,
            "id": 7905
          },
          {
            "timestamp": "2026-04-16 20:00:25,752",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ValueName",
                "value": "Plane3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3"
              }
            ],
            "repeated": 0,
            "id": 7906
          },
          {
            "timestamp": "2026-04-16 20:00:25,752",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ValueName",
                "value": "Plane4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4"
              }
            ],
            "repeated": 0,
            "id": 7907
          },
          {
            "timestamp": "2026-04-16 20:00:25,752",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ValueName",
                "value": "Plane5"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5"
              }
            ],
            "repeated": 0,
            "id": 7908
          },
          {
            "timestamp": "2026-04-16 20:00:25,752",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ValueName",
                "value": "Plane6"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6"
              }
            ],
            "repeated": 0,
            "id": 7909
          },
          {
            "timestamp": "2026-04-16 20:00:25,752",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ValueName",
                "value": "Plane7"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7"
              }
            ],
            "repeated": 0,
            "id": 7910
          },
          {
            "timestamp": "2026-04-16 20:00:25,752",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ValueName",
                "value": "Plane8"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8"
              }
            ],
            "repeated": 0,
            "id": 7911
          },
          {
            "timestamp": "2026-04-16 20:00:25,752",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ValueName",
                "value": "Plane9"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9"
              }
            ],
            "repeated": 0,
            "id": 7912
          },
          {
            "timestamp": "2026-04-16 20:00:25,752",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ValueName",
                "value": "Plane10"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10"
              }
            ],
            "repeated": 0,
            "id": 7913
          },
          {
            "timestamp": "2026-04-16 20:00:25,752",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ValueName",
                "value": "Plane11"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11"
              }
            ],
            "repeated": 0,
            "id": 7914
          },
          {
            "timestamp": "2026-04-16 20:00:25,752",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ValueName",
                "value": "Plane12"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12"
              }
            ],
            "repeated": 0,
            "id": 7915
          },
          {
            "timestamp": "2026-04-16 20:00:25,752",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ValueName",
                "value": "Plane13"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13"
              }
            ],
            "repeated": 0,
            "id": 7916
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ValueName",
                "value": "Plane14"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14"
              }
            ],
            "repeated": 0,
            "id": 7917
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ValueName",
                "value": "Plane15"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15"
              }
            ],
            "repeated": 0,
            "id": 7918
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ValueName",
                "value": "Plane16"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16"
              }
            ],
            "repeated": 0,
            "id": 7919
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e0"
              }
            ],
            "repeated": 0,
            "id": 7920
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 7921
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000109",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000118"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback"
              }
            ],
            "repeated": 0,
            "id": 7922
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "KeyInformation",
                "value": "\\xffa8\\x01\\xffd1y\\x0b\\xffad\\xffd5\\x01\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x18\\x00\\x00\\x00\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 7923
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "Index",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 7924
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "Index",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 7925
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "Index",
                "value": "2"
              }
            ],
            "repeated": 0,
            "id": 7926
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e0"
              },
              {
                "name": "Index",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 7927
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000004e0"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Verdana"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Verdana"
              }
            ],
            "repeated": 0,
            "id": 7928
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x07ec5031",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e0"
              }
            ],
            "repeated": 0,
            "id": 7929
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "3964",
            "caller": "0x7726074f",
            "parentcaller": "0x7386cc0a",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 7930
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "3964",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "SwitchToThread"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ac7cc0"
              }
            ],
            "repeated": 0,
            "id": 7931
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "3964",
            "caller": "0x737e55cd",
            "parentcaller": "0x737e545c",
            "category": "threading",
            "api": "NtYieldExecution",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7932
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x709a0000"
              },
              {
                "name": "FunctionName",
                "value": "GdipGetTextRenderingHint"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x70a3f8a0"
              }
            ],
            "repeated": 0,
            "id": 7933
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetTextAlign"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a83c60"
              }
            ],
            "repeated": 0,
            "id": 7934
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetTextColor"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a841a0"
              }
            ],
            "repeated": 0,
            "id": 7935
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "SetTextColor"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86d90"
              }
            ],
            "repeated": 0,
            "id": 7936
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "GetBkMode"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a881c0"
              }
            ],
            "repeated": 0,
            "id": 7937
          },
          {
            "timestamp": "2026-04-16 20:00:25,768",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76a80000"
              },
              {
                "name": "FunctionName",
                "value": "SetBkMode"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76a86ec0"
              }
            ],
            "repeated": 0,
            "id": 7938
          },
          {
            "timestamp": "2026-04-16 20:00:25,783",
            "thread_id": "4344",
            "caller": "0x07ec422d",
            "parentcaller": "0x0a1605b0",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09df8000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7939
          },
          {
            "timestamp": "2026-04-16 20:00:25,783",
            "thread_id": "4344",
            "caller": "0x07ec4cb2",
            "parentcaller": "0x0a160350",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "4096"
              }
            ],
            "repeated": 1,
            "id": 7940
          },
          {
            "timestamp": "2026-04-16 20:00:25,799",
            "thread_id": "4344",
            "caller": "0x05730626",
            "parentcaller": "0x057309dc",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "GetDlgItem"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d48fb0"
              }
            ],
            "repeated": 0,
            "id": 7941
          },
          {
            "timestamp": "2026-04-16 20:00:25,799",
            "thread_id": "4344",
            "caller": "0x07ec4cb2",
            "parentcaller": "0x0a160350",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "4096"
              }
            ],
            "repeated": 1,
            "id": 7942
          },
          {
            "timestamp": "2026-04-16 20:00:25,799",
            "thread_id": "4344",
            "caller": "0x057309dc",
            "parentcaller": "0x07ec471e",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05c62000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7943
          },
          {
            "timestamp": "2026-04-16 20:00:25,799",
            "thread_id": "4344",
            "caller": "0x07ec4cb2",
            "parentcaller": "0x0a160350",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "4096"
              }
            ],
            "repeated": 1,
            "id": 7944
          },
          {
            "timestamp": "2026-04-16 20:00:25,799",
            "thread_id": "4344",
            "caller": "0x0802c291",
            "parentcaller": "0x0802be36",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x75d10000"
              },
              {
                "name": "FunctionName",
                "value": "WaitMessage"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x75d52540"
              }
            ],
            "repeated": 0,
            "id": 7945
          },
          {
            "timestamp": "2026-04-16 20:00:25,799",
            "thread_id": "3172",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08532000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7946
          },
          {
            "timestamp": "2026-04-16 20:00:25,799",
            "thread_id": "3172",
            "caller": "0x737e55cd",
            "parentcaller": "0x737e545c",
            "category": "threading",
            "api": "NtYieldExecution",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 7947
          },
          {
            "timestamp": "2026-04-16 20:00:25,799",
            "thread_id": "3964",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08533000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7948
          },
          {
            "timestamp": "2026-04-16 20:00:25,814",
            "thread_id": "3964",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x08535000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7949
          },
          {
            "timestamp": "2026-04-16 20:00:25,814",
            "thread_id": "3964",
            "caller": "0x77e7138f",
            "parentcaller": "0x77e7110a",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000009",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
              }
            ],
            "repeated": 0,
            "id": 7950
          },
          {
            "timestamp": "2026-04-16 20:00:25,814",
            "thread_id": "3964",
            "caller": "0x77e713ac",
            "parentcaller": "0x77e7110a",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e4"
              },
              {
                "name": "ValueName",
                "value": "ResourcePolicies"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies"
              }
            ],
            "repeated": 0,
            "id": 7951
          },
          {
            "timestamp": "2026-04-16 20:00:25,814",
            "thread_id": "3964",
            "caller": "0x77e713c2",
            "parentcaller": "0x77e7110a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e4"
              }
            ],
            "repeated": 0,
            "id": 7952
          },
          {
            "timestamp": "2026-04-16 20:00:25,830",
            "thread_id": "4344",
            "caller": "0x07ec4cb2",
            "parentcaller": "0x0a160350",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "4096"
              }
            ],
            "repeated": 1,
            "id": 7953
          },
          {
            "timestamp": "2026-04-16 20:00:25,830",
            "thread_id": "3964",
            "caller": "0x77e6f04b",
            "parentcaller": "0x77e6ef40",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00008000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7954
          },
          {
            "timestamp": "2026-04-16 20:00:25,830",
            "thread_id": "3964",
            "caller": "0x77e6f092",
            "parentcaller": "0x77e6ef40",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09ee0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000040",
                "pretty_value": "PAGE_EXECUTE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7955
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "4344",
            "caller": "0x07ec4cb2",
            "parentcaller": "0x0a160350",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "4096"
              }
            ],
            "repeated": 1,
            "id": 7956
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73878a61",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000000",
                "pretty_value": "HKEY_CLASSES_ROOT"
              },
              {
                "name": "SubKey",
                "value": "CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32"
              },
              {
                "name": "Handle",
                "value": "0x000004e6"
              },
              {
                "name": "FullName",
                "value": "HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32"
              }
            ],
            "repeated": 0,
            "id": 7957
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x73832c2e",
            "parentcaller": "0x73878a85",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e6"
              },
              {
                "name": "ValueName",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)"
              }
            ],
            "repeated": 0,
            "id": 7958
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x73832c2e",
            "parentcaller": "0x73878ad3",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e6"
              },
              {
                "name": "ValueName",
                "value": ""
              },
              {
                "name": "Data",
                "value": "C:\\Windows\\SysWOW64\\mscoree.dll"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)"
              }
            ],
            "repeated": 0,
            "id": 7959
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x73878ae7",
            "parentcaller": "0x738788d7",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e6"
              }
            ],
            "repeated": 0,
            "id": 7960
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\mscoree.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x74160000"
              }
            ],
            "repeated": 0,
            "id": 7961
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x74160000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\SysWOW64\\mscoree.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 7962
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              },
              {
                "name": "FunctionName",
                "value": "DllGetClassObject"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x7416e450"
              }
            ],
            "repeated": 0,
            "id": 7963
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "DllGetClassObject_RetAddr"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 7964
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x73e10000"
              },
              {
                "name": "FunctionName",
                "value": "DllGetClassObject"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x73e41640"
              }
            ],
            "repeated": 0,
            "id": 7965
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000238"
              },
              {
                "name": "Milliseconds",
                "value": "18446744073709551615"
              },
              {
                "name": "Status",
                "value": "Infinite"
              }
            ],
            "repeated": 0,
            "id": 7966
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x77265900",
            "parentcaller": "0x73e42647",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000238"
              }
            ],
            "repeated": 0,
            "id": 7967
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e5c45d",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000000",
                "pretty_value": "HKEY_CLASSES_ROOT"
              },
              {
                "name": "SubKey",
                "value": "CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server"
              },
              {
                "name": "Handle",
                "value": "0x000004e6"
              },
              {
                "name": "FullName",
                "value": "HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server"
              }
            ],
            "repeated": 0,
            "id": 7968
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x73e5c4d7",
            "parentcaller": "0x73e5c68f",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e6"
              },
              {
                "name": "ValueName",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)"
              }
            ],
            "repeated": 0,
            "id": 7969
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x73e5c51c",
            "parentcaller": "0x73e5c68f",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e6"
              },
              {
                "name": "ValueName",
                "value": ""
              },
              {
                "name": "Data",
                "value": "diasymreader.dll"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)"
              }
            ],
            "repeated": 0,
            "id": 7970
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x73e1760b",
            "parentcaller": "0x73e5c56f",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e6"
              }
            ],
            "repeated": 0,
            "id": 7971
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e5e405",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "Software\\Microsoft\\.NETFramework"
              },
              {
                "name": "Handle",
                "value": "0x000004e4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework"
              }
            ],
            "repeated": 0,
            "id": 7972
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x73e5e44b",
            "parentcaller": "0x73e5c6a1",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": false,
            "return": "0x00000002",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e4"
              },
              {
                "name": "ValueName",
                "value": "AlwaysReadHKCRForCLSIDs"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\AlwaysReadHKCRForCLSIDs"
              }
            ],
            "repeated": 0,
            "id": 7973
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3964",
            "caller": "0x73e1760b",
            "parentcaller": "0x73e5e484",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e4"
              }
            ],
            "repeated": 0,
            "id": 7974
          },
          {
            "timestamp": "2026-04-16 20:00:25,861",
            "thread_id": "3172",
            "caller": "0x737e55cd",
            "parentcaller": "0x737e545c",
            "category": "threading",
            "api": "NtYieldExecution",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 9,
            "id": 7975
          },
          {
            "timestamp": "2026-04-16 20:00:25,893",
            "thread_id": "4344",
            "caller": "0x07ec422d",
            "parentcaller": "0x0a160600",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09dfc000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7976
          },
          {
            "timestamp": "2026-04-16 20:00:25,893",
            "thread_id": "4344",
            "caller": "0x07ec4cb2",
            "parentcaller": "0x0a160350",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "4096"
              }
            ],
            "repeated": 5,
            "id": 7977
          },
          {
            "timestamp": "2026-04-16 20:00:25,986",
            "thread_id": "4344",
            "caller": "0x07ec422d",
            "parentcaller": "0x0a160600",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09dfd000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7978
          },
          {
            "timestamp": "2026-04-16 20:00:25,986",
            "thread_id": "4344",
            "caller": "0x07ec4cb2",
            "parentcaller": "0x0a160350",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "4096"
              }
            ],
            "repeated": 1,
            "id": 7979
          },
          {
            "timestamp": "2026-04-16 20:00:25,986",
            "thread_id": "3964",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "OpenThreadToken"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebe8c0"
              }
            ],
            "repeated": 0,
            "id": 7980
          },
          {
            "timestamp": "2026-04-16 20:00:25,986",
            "thread_id": "3964",
            "caller": "0x77263cc4",
            "parentcaller": "0x73e5cae3",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020008"
              },
              {
                "name": "TokenHandle",
                "value": "0x000004e4"
              }
            ],
            "repeated": 0,
            "id": 7981
          },
          {
            "timestamp": "2026-04-16 20:00:25,986",
            "thread_id": "3964",
            "caller": "0x77261446",
            "parentcaller": "0x73e5cb31",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": false,
            "return": "0xffffffffc0000023",
            "pretty_return": "BUFFER_TOO_SMALL",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "25"
              },
              {
                "name": "TokenInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 7982
          },
          {
            "timestamp": "2026-04-16 20:00:25,986",
            "thread_id": "3964",
            "caller": "0x77261446",
            "parentcaller": "0x73e5cba6",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "25"
              },
              {
                "name": "TokenInformation",
                "value": "0f3\\x01`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 7983
          },
          {
            "timestamp": "2026-04-16 20:00:25,986",
            "thread_id": "3964",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "GetSidSubAuthorityCount"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebf190"
              }
            ],
            "repeated": 0,
            "id": 7984
          },
          {
            "timestamp": "2026-04-16 20:00:25,986",
            "thread_id": "3964",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ea0000"
              },
              {
                "name": "FunctionName",
                "value": "GetSidSubAuthority"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ebf030"
              }
            ],
            "repeated": 0,
            "id": 7985
          },
          {
            "timestamp": "2026-04-16 20:00:25,986",
            "thread_id": "3964",
            "caller": "0x7726269a",
            "parentcaller": "0x73e5cc49",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e4"
              }
            ],
            "repeated": 0,
            "id": 7986
          },
          {
            "timestamp": "2026-04-16 20:00:25,986",
            "thread_id": "3964",
            "caller": "0x73e17a31",
            "parentcaller": "0x73e5c45d",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000002",
                "pretty_value": "HKEY_LOCAL_MACHINE"
              },
              {
                "name": "SubKey",
                "value": "SOFTWARE\\Classes\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server"
              },
              {
                "name": "Handle",
                "value": "0x000004e4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server"
              }
            ],
            "repeated": 0,
            "id": 7987
          },
          {
            "timestamp": "2026-04-16 20:00:25,986",
            "thread_id": "3964",
            "caller": "0x73e5c4d7",
            "parentcaller": "0x73e5c772",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e4"
              },
              {
                "name": "ValueName",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)"
              }
            ],
            "repeated": 0,
            "id": 7988
          },
          {
            "timestamp": "2026-04-16 20:00:25,986",
            "thread_id": "3964",
            "caller": "0x73e5c51c",
            "parentcaller": "0x73e5c772",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e4"
              },
              {
                "name": "ValueName",
                "value": ""
              },
              {
                "name": "Data",
                "value": "diasymreader.dll"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)"
              }
            ],
            "repeated": 0,
            "id": 7989
          },
          {
            "timestamp": "2026-04-16 20:00:25,986",
            "thread_id": "3964",
            "caller": "0x73e1760b",
            "parentcaller": "0x73e5c56f",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e4"
              }
            ],
            "repeated": 0,
            "id": 7990
          },
          {
            "timestamp": "2026-04-16 20:00:26,018",
            "thread_id": "4344",
            "caller": "0x07ec4cb2",
            "parentcaller": "0x0a160350",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "4096"
              }
            ],
            "repeated": 9,
            "id": 7991
          },
          {
            "timestamp": "2026-04-16 20:00:26,174",
            "thread_id": "4344",
            "caller": "0x07ec422d",
            "parentcaller": "0x0a160600",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09dfe000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7992
          },
          {
            "timestamp": "2026-04-16 20:00:26,174",
            "thread_id": "4344",
            "caller": "0x07ec422d",
            "parentcaller": "0x0a160600",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09dff000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7993
          },
          {
            "timestamp": "2026-04-16 20:00:26,174",
            "thread_id": "4344",
            "caller": "0x07ec422d",
            "parentcaller": "0x0a160600",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09e00000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7994
          },
          {
            "timestamp": "2026-04-16 20:00:26,174",
            "thread_id": "4344",
            "caller": "0x07ec4cb2",
            "parentcaller": "0x0a160350",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "4096"
              }
            ],
            "repeated": 3,
            "id": 7995
          },
          {
            "timestamp": "2026-04-16 20:00:26,236",
            "thread_id": "4344",
            "caller": "0x07ec422d",
            "parentcaller": "0x0a160600",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x09e01000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 7996
          },
          {
            "timestamp": "2026-04-16 20:00:26,236",
            "thread_id": "4344",
            "caller": "0x07ec4cb2",
            "parentcaller": "0x0a160350",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "4096"
              }
            ],
            "repeated": 15,
            "id": 7997
          },
          {
            "timestamp": "2026-04-16 20:00:26,596",
            "thread_id": "3964",
            "caller": "0x77261d96",
            "parentcaller": "0x73e41211",
            "category": "__notification__",
            "api": "sysenter",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadIdentifier",
                "value": "3964"
              },
              {
                "name": "Module",
                "value": "KERNEL32.dll"
              },
              {
                "name": "Return Address",
                "value": "0x76ad24ac"
              }
            ],
            "repeated": 0,
            "id": 7998
          },
          {
            "timestamp": "2026-04-16 20:00:26,846",
            "thread_id": "3964",
            "caller": "0x77261d96",
            "parentcaller": "0x73e41211",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader"
              },
              {
                "name": "DllBase",
                "value": "0x705c0000"
              }
            ],
            "repeated": 0,
            "id": 7999
          },
          {
            "timestamp": "2026-04-16 20:00:27,393",
            "thread_id": "4344",
            "caller": "0x07ec4cb2",
            "parentcaller": "0x0a160350",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "4096"
              }
            ],
            "repeated": 1,
            "id": 8000
          },
          {
            "timestamp": "2026-04-16 20:00:27,393",
            "thread_id": "3964",
            "caller": "0x705ea64e",
            "parentcaller": "0x736e1742",
            "category": "misc",
            "api": "GetSystemInfo",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 8001
          },
          {
            "timestamp": "2026-04-16 20:00:27,393",
            "thread_id": "3964",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f34000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 8002
          },
          {
            "timestamp": "2026-04-16 20:00:27,393",
            "thread_id": "3964",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f36000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 8003
          },
          {
            "timestamp": "2026-04-16 20:00:27,393",
            "thread_id": "3964",
            "caller": "0x77e7138f",
            "parentcaller": "0x77e7110a",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000009",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
              }
            ],
            "repeated": 0,
            "id": 8004
          },
          {
            "timestamp": "2026-04-16 20:00:27,393",
            "thread_id": "3964",
            "caller": "0x77e713ac",
            "parentcaller": "0x77e7110a",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000004e4"
              },
              {
                "name": "ValueName",
                "value": "ResourcePolicies"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies"
              }
            ],
            "repeated": 0,
            "id": 8005
          },
          {
            "timestamp": "2026-04-16 20:00:27,393",
            "thread_id": "3964",
            "caller": "0x77e713c2",
            "parentcaller": "0x77e7110a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e4"
              }
            ],
            "repeated": 0,
            "id": 8006
          },
          {
            "timestamp": "2026-04-16 20:00:27,393",
            "thread_id": "3964",
            "caller": "0x77e6f04b",
            "parentcaller": "0x77e6ef40",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0bf20000"
              },
              {
                "name": "RegionSize",
                "value": "0x00008000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 8007
          },
          {
            "timestamp": "2026-04-16 20:00:27,393",
            "thread_id": "3964",
            "caller": "0x77e6f092",
            "parentcaller": "0x77e6ef40",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x0bf20000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 8008
          },
          {
            "timestamp": "2026-04-16 20:00:27,408",
            "thread_id": "4344",
            "caller": "0x07ec4cb2",
            "parentcaller": "0x0a160350",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "4096"
              }
            ],
            "repeated": 11,
            "id": 8009
          },
          {
            "timestamp": "2026-04-16 20:00:27,580",
            "thread_id": "3964",
            "caller": "0x77261d96",
            "parentcaller": "0x73e41211",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x705c0000"
              }
            ],
            "repeated": 0,
            "id": 8010
          },
          {
            "timestamp": "2026-04-16 20:00:27,580",
            "thread_id": "3964",
            "caller": "0x77261d96",
            "parentcaller": "0x73e41211",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x705c0000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 8011
          },
          {
            "timestamp": "2026-04-16 20:00:27,580",
            "thread_id": "3964",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "diasymreader.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x705c0000"
              },
              {
                "name": "FunctionName",
                "value": "DllGetClassObjectInternal"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x705d21e1"
              }
            ],
            "repeated": 0,
            "id": 8012
          },
          {
            "timestamp": "2026-04-16 20:00:27,580",
            "thread_id": "3964",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000238"
              },
              {
                "name": "Milliseconds",
                "value": "18446744073709551615"
              },
              {
                "name": "Status",
                "value": "Infinite"
              }
            ],
            "repeated": 0,
            "id": 8013
          },
          {
            "timestamp": "2026-04-16 20:00:27,580",
            "thread_id": "3964",
            "caller": "0x77265900",
            "parentcaller": "0x73e427f4",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000238"
              }
            ],
            "repeated": 0,
            "id": 8014
          },
          {
            "timestamp": "2026-04-16 20:00:27,580",
            "thread_id": "3964",
            "caller": "0x77264429",
            "parentcaller": "0x7383db34",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.PDB"
              }
            ],
            "repeated": 0,
            "id": 8015
          },
          {
            "timestamp": "2026-04-16 20:00:27,596",
            "thread_id": "4344",
            "caller": "0x07ec4cb2",
            "parentcaller": "0x0a160350",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "4096"
              }
            ],
            "repeated": 9,
            "id": 8016
          },
          {
            "timestamp": "2026-04-16 20:00:27,721",
            "thread_id": "3964",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 8017
          },
          {
            "timestamp": "2026-04-16 20:00:27,721",
            "thread_id": "3964",
            "caller": "0x7726edc2",
            "parentcaller": "0x73714082",
            "category": "filesystem",
            "api": "NtSetInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004cc"
              },
              {
                "name": "HandleName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "FileInformationClass",
                "value": "14",
                "pretty_value": "FilePositionInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 8018
          },
          {
            "timestamp": "2026-04-16 20:00:27,721",
            "thread_id": "3964",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f38000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 8019
          },
          {
            "timestamp": "2026-04-16 20:00:27,721",
            "thread_id": "3964",
            "caller": "0x7726249c",
            "parentcaller": "0x737151b6",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004cc"
              },
              {
                "name": "HandleName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "Buffer",
                "value": "MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x0e\\x1f\\xba\\x0e\\x00\\xb4\t\\xcd!\\xb8\\x01L\\xcd!This program cannot be run in DOS mode.\r\r\n$\\x00\\x00\\x00\\x00\\x00\\x00\\x00PE\\x00\\x00L\\x01\\x04\\x00\t\\x9d\\x93U\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x00\\x0e\\x01\\x0b\\x01\\x06\\x00\\x00\\xb2\\x15\\x00\\x00N\\x00\\x00\\x00\\x00\\x00\\x00\\xce\\xd0\\x15\\x00\\x00 \\x00\\x00\\x00\\xe0\\x15\\x00\\x00\\x00@\\x00\\x00 \\x00\\x00\\x00\\x02\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "Length",
                "value": "4096"
              }
            ],
            "repeated": 0,
            "id": 8020
          },
          {
            "timestamp": "2026-04-16 20:00:27,721",
            "thread_id": "3964",
            "caller": "0x7726edc2",
            "parentcaller": "0x73714082",
            "category": "filesystem",
            "api": "NtSetInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004cc"
              },
              {
                "name": "HandleName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "FileInformationClass",
                "value": "14",
                "pretty_value": "FilePositionInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 8021
          },
          {
            "timestamp": "2026-04-16 20:00:27,721",
            "thread_id": "3964",
            "caller": "0x7726249c",
            "parentcaller": "0x737151b6",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004cc"
              },
              {
                "name": "HandleName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "Buffer",
                "value": "PE\\x00\\x00L\\x01\\x04\\x00\t\\x9d\\x93U\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x00\\x0e\\x01\\x0b\\x01\\x06\\x00\\x00\\xb2\\x15\\x00\\x00N\\x00\\x00\\x00\\x00\\x00\\x00\\xce\\xd0\\x15\\x00\\x00 \\x00\\x00\\x00\\xe0\\x15\\x00\\x00\\x00@\\x00\\x00 \\x00\\x00\\x00\\x02\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xd0\\x15\\x00K\\x00\\x00\\x00\\x00\\x00\\x16\\x00\\xd8I\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x16\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08 \\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00.text\\x00\\x00\\x00"
              },
              {
                "name": "Length",
                "value": "512"
              }
            ],
            "repeated": 0,
            "id": 8022
          },
          {
            "timestamp": "2026-04-16 20:00:27,721",
            "thread_id": "3964",
            "caller": "0x7726269a",
            "parentcaller": "0x736fe7fc",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004cc"
              }
            ],
            "repeated": 0,
            "id": 8023
          },
          {
            "timestamp": "2026-04-16 20:00:27,721",
            "thread_id": "3964",
            "caller": "0x737e55cd",
            "parentcaller": "0x737e545c",
            "category": "threading",
            "api": "NtYieldExecution",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 8024
          },
          {
            "timestamp": "2026-04-16 20:00:27,721",
            "thread_id": "3172",
            "caller": "0x738fbaa0",
            "parentcaller": "0x73878a61",
            "category": "registry",
            "api": "RegOpenKeyExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Registry",
                "value": "0x80000000",
                "pretty_value": "HKEY_CLASSES_ROOT"
              },
              {
                "name": "SubKey",
                "value": "CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32"
              },
              {
                "name": "Handle",
                "value": "0x000004ce"
              },
              {
                "name": "FullName",
                "value": "HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32"
              }
            ],
            "repeated": 0,
            "id": 8025
          },
          {
            "timestamp": "2026-04-16 20:00:27,721",
            "thread_id": "3172",
            "caller": "0x73832c2e",
            "parentcaller": "0x73878a85",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ce"
              },
              {
                "name": "ValueName",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)"
              }
            ],
            "repeated": 0,
            "id": 8026
          },
          {
            "timestamp": "2026-04-16 20:00:27,721",
            "thread_id": "3172",
            "caller": "0x73832c2e",
            "parentcaller": "0x73878ad3",
            "category": "registry",
            "api": "RegQueryValueExW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ce"
              },
              {
                "name": "ValueName",
                "value": ""
              },
              {
                "name": "Data",
                "value": "C:\\Windows\\SysWOW64\\mscoree.dll"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)"
              }
            ],
            "repeated": 0,
            "id": 8027
          },
          {
            "timestamp": "2026-04-16 20:00:27,721",
            "thread_id": "3172",
            "caller": "0x73878ae7",
            "parentcaller": "0x738788d7",
            "category": "registry",
            "api": "RegCloseKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004ce"
              }
            ],
            "repeated": 0,
            "id": 8028
          },
          {
            "timestamp": "2026-04-16 20:00:27,721",
            "thread_id": "3172",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\mscoree.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x74160000"
              }
            ],
            "repeated": 0,
            "id": 8029
          },
          {
            "timestamp": "2026-04-16 20:00:27,721",
            "thread_id": "3172",
            "caller": "0x77261d96",
            "parentcaller": "0x73857f86",
            "category": "system",
            "api": "LoadLibraryExW",
            "status": true,
            "return": "0x74160000",
            "arguments": [
              {
                "name": "lpLibFileName",
                "value": "C:\\Windows\\SysWOW64\\mscoree.dll"
              },
              {
                "name": "dwFlags",
                "value": "0x00000008"
              }
            ],
            "repeated": 0,
            "id": 8030
          },
          {
            "timestamp": "2026-04-16 20:00:27,721",
            "thread_id": "3172",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x74160000"
              },
              {
                "name": "FunctionName",
                "value": "DllGetClassObject"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x7416e450"
              }
            ],
            "repeated": 0,
            "id": 8031
          },
          {
            "timestamp": "2026-04-16 20:00:27,721",
            "thread_id": "3172",
            "caller": "0x772627d9",
            "parentcaller": "0x77262732",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000238"
              },
              {
                "name": "Milliseconds",
                "value": "18446744073709551615"
              },
              {
                "name": "Status",
                "value": "Infinite"
              }
            ],
            "repeated": 0,
            "id": 8032
          },
          {
            "timestamp": "2026-04-16 20:00:27,721",
            "thread_id": "3172",
            "caller": "0x77265900",
            "parentcaller": "0x73e42647",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000238"
              }
            ],
            "repeated": 0,
            "id": 8033
          },
          {
            "timestamp": "2026-04-16 20:00:27,736",
            "thread_id": "3172",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004e4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 8034
          },
          {
            "timestamp": "2026-04-16 20:00:27,736",
            "thread_id": "3172",
            "caller": "0x7726edc2",
            "parentcaller": "0x73714082",
            "category": "filesystem",
            "api": "NtSetInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004e4"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll"
              },
              {
                "name": "FileInformationClass",
                "value": "14",
                "pretty_value": "FilePositionInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 8035
          },
          {
            "timestamp": "2026-04-16 20:00:27,736",
            "thread_id": "3964",
            "caller": "0x737e55cd",
            "parentcaller": "0x737e545c",
            "category": "threading",
            "api": "NtYieldExecution",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 2,
            "id": 8036
          },
          {
            "timestamp": "2026-04-16 20:00:27,752",
            "thread_id": "4344",
            "caller": "0x07ec4cb2",
            "parentcaller": "0x0a160350",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "4096"
              }
            ],
            "repeated": 1,
            "id": 8037
          },
          {
            "timestamp": "2026-04-16 20:00:27,752",
            "thread_id": "3964",
            "caller": "0x737e55cd",
            "parentcaller": "0x737e545c",
            "category": "threading",
            "api": "NtYieldExecution",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 6,
            "id": 8038
          },
          {
            "timestamp": "2026-04-16 20:00:27,783",
            "thread_id": "4344",
            "caller": "0x07ec4cb2",
            "parentcaller": "0x0a160350",
            "category": "misc",
            "api": "GetSystemMetrics",
            "status": false,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemMetricIndex",
                "value": "4096"
              }
            ],
            "repeated": 1,
            "id": 8039
          },
          {
            "timestamp": "2026-04-16 20:00:27,799",
            "thread_id": "3172",
            "caller": "0x7726249c",
            "parentcaller": "0x737151b6",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004e4"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll"
              },
              {
                "name": "Buffer",
                "value": "MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x0e\\x1f\\xba\\x0e\\x00\\xb4\t\\xcd!\\xb8\\x01L\\xcd!This program cannot be run in DOS mode.\r\r\n$\\x00\\x00\\x00\\x00\\x00\\x00\\x00PE\\x00\\x00L\\x01\\x03\\x00VbGb\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x00\\x0e!\\x0b\\x01\\x08\\x00\\x00 =\\x00\\x00`\\x08\\x00\\x00\\x00\\x00\\x00n6=\\x00\\x00 \\x00\\x00\\x00@=\\x00\\x00\\x00\\x0cy\\x00 \\x00\\x00\\x00\\x10\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0E\\x00\\x00\\x10\\x00\\x00(\\xdcE\\x00\\x03\\x00@\\x04\\x00\\x00\\x10\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "Length",
                "value": "4096"
              }
            ],
            "repeated": 0,
            "id": 8040
          },
          {
            "timestamp": "2026-04-16 20:00:27,799",
            "thread_id": "3172",
            "caller": "0x7726edc2",
            "parentcaller": "0x73714082",
            "category": "filesystem",
            "api": "NtSetInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004e4"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll"
              },
              {
                "name": "FileInformationClass",
                "value": "14",
                "pretty_value": "FilePositionInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 8041
          },
          {
            "timestamp": "2026-04-16 20:00:27,799",
            "thread_id": "3172",
            "caller": "0x7726249c",
            "parentcaller": "0x737151b6",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004e4"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll"
              },
              {
                "name": "Buffer",
                "value": "PE\\x00\\x00L\\x01\\x03\\x00VbGb\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x00\\x0e!\\x0b\\x01\\x08\\x00\\x00 =\\x00\\x00`\\x08\\x00\\x00\\x00\\x00\\x00n6=\\x00\\x00 \\x00\\x00\\x00@=\\x00\\x00\\x00\\x0cy\\x00 \\x00\\x00\\x00\\x10\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0E\\x00\\x00\\x10\\x00\\x00(\\xdcE\\x00\\x03\\x00@\\x04\\x00\\x00\\x10\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c6=\\x00O\\x00\\x00\\x00\\x00@=\\x00tK\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0E\\x00\\x0c\\x00\\x00\\x00\\xb85=\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08 \\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00.text\\x00\\x00\\x00"
              },
              {
                "name": "Length",
                "value": "512"
              }
            ],
            "repeated": 0,
            "id": 8042
          },
          {
            "timestamp": "2026-04-16 20:00:27,799",
            "thread_id": "3172",
            "caller": "0x7726edc2",
            "parentcaller": "0x73714082",
            "category": "filesystem",
            "api": "NtSetInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004e4"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll"
              },
              {
                "name": "FileInformationClass",
                "value": "14",
                "pretty_value": "FilePositionInformation"
              },
              {
                "name": "FileInformation",
                "value": "x\\x01\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 8043
          },
          {
            "timestamp": "2026-04-16 20:00:27,799",
            "thread_id": "3172",
            "caller": "0x7726249c",
            "parentcaller": "0x737151b6",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004e4"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll"
              },
              {
                "name": "Buffer",
                "value": ".text\\x00\\x00\\x00t\\x16=\\x00\\x00 \\x00\\x00\\x00 =\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00`.rsrc\\x00\\x00\\x00tK\\x08\\x00\\x00@=\\x00\\x00P\\x08\\x00\\x000=\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00@.reloc\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\xa0E\\x00\\x00\\x10\\x00\\x00\\x00\\x80E\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00B\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "Length",
                "value": "512"
              }
            ],
            "repeated": 0,
            "id": 8044
          },
          {
            "timestamp": "2026-04-16 20:00:27,814",
            "thread_id": "3172",
            "caller": "0x7726edc2",
            "parentcaller": "0x73714082",
            "category": "filesystem",
            "api": "NtSetInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004e4"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll"
              },
              {
                "name": "FileInformationClass",
                "value": "14",
                "pretty_value": "FilePositionInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\xb8%=\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 8045
          },
          {
            "timestamp": "2026-04-16 20:00:27,814",
            "thread_id": "3172",
            "caller": "0x7726249c",
            "parentcaller": "0x737151b6",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004e4"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll"
              },
              {
                "name": "Buffer",
                "value": "\\x00\\x00\\x00\\x00VbGb\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00%\\x00\\x00\\x00\\xd45=\\x00\\xd4%=\\x00RSDSy\\x05\\x08\\x99\\xd7\\xa0\\xc5@\\x97\\xfd&7\\xdf\\xe0\\xee\\x95\\x01\\x00\\x00\\x00mscorlib.pdb\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00D6=\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00^6=\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P6=\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00_CorDllMain\\x00mscoree.dll\\x00\\x00\\x00\\x00\\x00\\xff%\\x00 \\x0cy\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "Length",
                "value": "512"
              }
            ],
            "repeated": 0,
            "id": 8046
          },
          {
            "timestamp": "2026-04-16 20:00:27,814",
            "thread_id": "3172",
            "caller": "0x7726edc2",
            "parentcaller": "0x73714082",
            "category": "filesystem",
            "api": "NtSetInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004e4"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll"
              },
              {
                "name": "FileInformationClass",
                "value": "14",
                "pretty_value": "FilePositionInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\xd4%=\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 8047
          },
          {
            "timestamp": "2026-04-16 20:00:27,814",
            "thread_id": "3172",
            "caller": "0x7726249c",
            "parentcaller": "0x737151b6",
            "category": "filesystem",
            "api": "NtReadFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000004e4"
              },
              {
                "name": "HandleName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll"
              },
              {
                "name": "Buffer",
                "value": "RSDSy\\x05\\x08\\x99\\xd7\\xa0\\xc5@\\x97\\xfd&7\\xdf\\xe0\\xee\\x95\\x01\\x00\\x00\\x00mscorlib.pdb\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00D6=\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00^6=\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P6=\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00_CorDllMain\\x00mscoree.dll\\x00\\x00\\x00\\x00\\x00\\xff%\\x00 \\x0cy\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "Length",
                "value": "512"
              }
            ],
            "repeated": 0,
            "id": 8048
          },
          {
            "timestamp": "2026-04-16 20:00:27,814",
            "thread_id": "3172",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02f3a000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 8049
          },
          {
            "timestamp": "2026-04-16 20:00:27,814",
            "thread_id": "3172",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.pdb"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 8050
          },
          {
            "timestamp": "2026-04-16 20:00:27,814",
            "thread_id": "3172",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\symbols\\dll\\mscorlib.pdb"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 8051
          },
          {
            "timestamp": "2026-04-16 20:00:27,814",
            "thread_id": "3172",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc000003a",
            "pretty_return": "OBJECT_PATH_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\dll\\mscorlib.pdb"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 8052
          },
          {
            "timestamp": "2026-04-16 20:00:27,814",
            "thread_id": "3172",
            "caller": "0x77261999",
            "parentcaller": "0x772616ce",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\mscorlib.pdb"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 8053
          },
          {
            "timestamp": "2026-04-16 20:00:27,814",
            "thread_id": "3172",
            "caller": "0x7726269a",
            "parentcaller": "0x736fe7fc",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004e4"
              }
            ],
            "repeated": 0,
            "id": 8054
          },
          {
            "timestamp": "2026-04-16 20:00:27,814",
            "thread_id": "3172",
            "caller": "0x737e55cd",
            "parentcaller": "0x737e545c",
            "category": "threading",
            "api": "NtYieldExecution",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 8055
          },
          {
            "timestamp": "2026-04-16 20:00:27,830",
            "thread_id": "3964",
            "caller": "0x772761f1",
            "parentcaller": "0x737e2553",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x05c72000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 8056
          },
          {
            "timestamp": "2026-04-16 20:00:27,830",
            "thread_id": "3964",
            "caller": "0x77313384",
            "parentcaller": "0x77ee4a78",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "63"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 8057
          },
          {
            "timestamp": "2026-04-16 20:00:27,830",
            "thread_id": "3964",
            "caller": "0x77ee4aa1",
            "parentcaller": "0x77ea7b2e",
            "category": "process",
            "api": "NtTerminateProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "ExitCode",
                "value": "0xe0434f4d"
              }
            ],
            "repeated": 0,
            "id": 8058
          }
        ],
        "threads": [
          "4344",
          "7688",
          "1168",
          "5476",
          "176",
          "6276",
          "6048",
          "5932",
          "3964",
          "7484",
          "3172"
        ],
        "environ": {
          "UserName": "cape",
          "ComputerName": "DESKTOP-PC01",
          "WindowsPath": "C:\\Windows",
          "TempPath": "C:\\Users\\cape\\AppData\\Local\\Temp\\",
          "CommandLine": "\"C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe\" ",
          "RegisteredOwner": "",
          "RegisteredOrganization": "",
          "ProductName": "",
          "SystemVolumeSerialNumber": "7c6d-8d48",
          "SystemVolumeGUID": "c48439d1-0000-0000-0000-100000000000",
          "MachineGUID": "",
          "MainExeBase": "0x00b10000",
          "MainExeSize": "0x00168000",
          "Bitness": "32-bit"
        },
        "file_activities": {
          "read_files": [],
          "write_files": [],
          "delete_files": []
        }
      },
      {
        "process_id": 3832,
        "process_name": "dw20.exe",
        "parent_id": 7684,
        "module_path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\dw20.exe",
        "first_seen": "2026-04-16 20:00:21,361",
        "calls": [
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x77e7007d",
            "parentcaller": "0x7726648d",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 0
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x736e4a7a",
            "parentcaller": "0x736e2348",
            "category": "misc",
            "api": "HeapCreate",
            "status": true,
            "return": "0x03a00000",
            "arguments": [
              {
                "name": "Options",
                "value": "0"
              },
              {
                "name": "InitialSize",
                "value": "0x00001000"
              },
              {
                "name": "MaximumSize",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2fe3",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 2
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "FlsAlloc"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad1e20"
              }
            ],
            "repeated": 0,
            "id": 3
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "FlsGetValue"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ace770"
              }
            ],
            "repeated": 0,
            "id": 4
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "FlsSetValue"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad11e0"
              }
            ],
            "repeated": 0,
            "id": 5
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "FlsFree"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad2050"
              }
            ],
            "repeated": 0,
            "id": 6
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2ba1",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 7,
            "id": 7
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726f231",
            "parentcaller": "0x736e9658",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 8
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "InitializeCriticalSectionAndSpinCount"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad2fe0"
              }
            ],
            "repeated": 0,
            "id": 9
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2ba1",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 16,
            "id": 10
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03a01000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 11
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03a02000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 12
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726f231",
            "parentcaller": "0x736fa957",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 13
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "IsProcessorFeaturePresent"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad0b70"
              }
            ],
            "repeated": 0,
            "id": 14
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7373339d",
            "parentcaller": "0x736e1762",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 15
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726f231",
            "parentcaller": "0x736e4428",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "msvcrt.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76de0000"
              }
            ],
            "repeated": 0,
            "id": 16
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "msvcrt.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76de0000"
              },
              {
                "name": "FunctionName",
                "value": "_set_error_mode"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76e37560"
              }
            ],
            "repeated": 0,
            "id": 17
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "msvcrt.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76de0000"
              },
              {
                "name": "FunctionName",
                "value": "?set_terminate@@YAP6AXXZP6AXXZ@Z"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76e1a4b0"
              }
            ],
            "repeated": 0,
            "id": 18
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": false,
            "return": "0xffffffffc0000139",
            "pretty_return": "ENTRYPOINT_NOT_FOUND",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "msvcrt.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76de0000"
              },
              {
                "name": "FunctionName",
                "value": "_get_terminate"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 19
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726f231",
            "parentcaller": "0x736e1da6",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 20
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "FindActCtxSectionStringW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ac8900"
              }
            ],
            "repeated": 0,
            "id": 21
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726f231",
            "parentcaller": "0x736e1dcd",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": false,
            "return": "0xffffffffc0000135",
            "pretty_return": "DLL_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "MSCoree.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x736e1dbe"
              }
            ],
            "repeated": 0,
            "id": 22
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726f231",
            "parentcaller": "0x736e1dd6",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": false,
            "return": "0xffffffffc0000135",
            "pretty_return": "DLL_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "PGORT80.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x736e1dbe"
              }
            ],
            "repeated": 0,
            "id": 23
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x77262ba1",
            "parentcaller": "0x76ace2b9",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 24
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x77264429",
            "parentcaller": "0x76ace2c9",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\\msvcr80.dll"
              }
            ],
            "repeated": 0,
            "id": 25
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x77264566",
            "parentcaller": "0x76ace434",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c76a0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0x3a6eea36"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01ca0431"
              }
            ],
            "repeated": 0,
            "id": 26
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x77275d68",
            "parentcaller": "0x76ace44d",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000208"
              }
            ],
            "repeated": 0,
            "id": 27
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x77264566",
            "parentcaller": "0x76ace434",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c75e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\WinSxS"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0x3a6eea36"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acdd"
              }
            ],
            "repeated": 0,
            "id": 28
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x77275d68",
            "parentcaller": "0x76ace44d",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000208"
              }
            ],
            "repeated": 0,
            "id": 29
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x77264566",
            "parentcaller": "0x76ace434",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c75e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\\msvcr80.dll"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xf1cf05b4"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acdd"
              }
            ],
            "repeated": 0,
            "id": 30
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x77275d68",
            "parentcaller": "0x76ace44d",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000208"
              }
            ],
            "repeated": 0,
            "id": 31
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x77262ba1",
            "parentcaller": "0x76ace569",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 32
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726f231",
            "parentcaller": "0x736e1f08",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 33
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetSystemWindowsDirectoryW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ac9500"
              }
            ],
            "repeated": 0,
            "id": 34
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x7726978d",
            "parentcaller": "0x76acf564",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\\msvcr80"
              },
              {
                "name": "BaseAddress",
                "value": "0x736e0000"
              },
              {
                "name": "InitRoutine",
                "value": "0x736e232b"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 35
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x77e8de02",
            "parentcaller": "0x77e91903",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\psapi"
              },
              {
                "name": "BaseAddress",
                "value": "0x76a70000"
              },
              {
                "name": "InitRoutine",
                "value": "0x76a714d0"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 36
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x77ea64d6",
            "parentcaller": "0x77ea63e1",
            "category": "threading",
            "api": "NtTestAlert",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 37
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "3296",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 38
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "6988",
            "caller": "0x77e91c0e",
            "parentcaller": "0x77e8dbb1",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000084"
              },
              {
                "name": "Milliseconds",
                "value": "18446744073709551615"
              },
              {
                "name": "Status",
                "value": "Infinite"
              }
            ],
            "repeated": 3,
            "id": 39
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "5372",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2c18",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 2,
            "id": 40
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "5372",
            "caller": "0x77ea64d6",
            "parentcaller": "0x77ea63e1",
            "category": "threading",
            "api": "NtTestAlert",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 41
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "5372",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 42
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "6988",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2c18",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 2,
            "id": 43
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "6988",
            "caller": "0x77ea64d6",
            "parentcaller": "0x77ea63e1",
            "category": "threading",
            "api": "NtTestAlert",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 44
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "6988",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 45
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "6880",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2c18",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 2,
            "id": 46
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "6880",
            "caller": "0x77ea64d6",
            "parentcaller": "0x77ea63e1",
            "category": "threading",
            "api": "NtTestAlert",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 47
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "6880",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 48
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "2884",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2c18",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 2,
            "id": 49
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "2884",
            "caller": "0x77ea64d6",
            "parentcaller": "0x77ea63e1",
            "category": "threading",
            "api": "NtTestAlert",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 50
          },
          {
            "timestamp": "2026-04-16 20:00:21,643",
            "thread_id": "2884",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 51
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "3296",
            "caller": "0x1000512a",
            "parentcaller": "0x00000000",
            "category": "hooking",
            "api": "SetUnhandledExceptionFilter",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ExceptionFilter",
                "value": "0x100050e2"
              }
            ],
            "repeated": 0,
            "id": 52
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "3296",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03a03000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 53
          },
          {
            "timestamp": "2026-04-16 20:00:21,658",
            "thread_id": "3296",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03a04000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 54
          },
          {
            "timestamp": "2026-04-16 20:00:21,752",
            "thread_id": "3296",
            "caller": "0x10003066",
            "parentcaller": "0x1000312e",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\system32\\wer"
              },
              {
                "name": "DllBase",
                "value": "0x705a0000"
              }
            ],
            "repeated": 0,
            "id": 55
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "3296",
            "caller": "0x10003066",
            "parentcaller": "0x1000312e",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\wer.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x705a0000"
              }
            ],
            "repeated": 0,
            "id": 56
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "3296",
            "caller": "0x1000307a",
            "parentcaller": "0x1000312e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x705a0000"
              },
              {
                "name": "FunctionName",
                "value": "WerReportCreate"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x705bddb0"
              }
            ],
            "repeated": 0,
            "id": 57
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "3296",
            "caller": "0x1000308b",
            "parentcaller": "0x1000312e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x705a0000"
              },
              {
                "name": "FunctionName",
                "value": "WerReportSetParameter"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x705be4e0"
              }
            ],
            "repeated": 0,
            "id": 58
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "3296",
            "caller": "0x1000309c",
            "parentcaller": "0x1000312e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x705a0000"
              },
              {
                "name": "FunctionName",
                "value": "WerReportAddFile"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x705be720"
              }
            ],
            "repeated": 0,
            "id": 59
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "3296",
            "caller": "0x100030ad",
            "parentcaller": "0x1000312e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x705a0000"
              },
              {
                "name": "FunctionName",
                "value": "WerReportSetUIOption"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x705be8c0"
              }
            ],
            "repeated": 0,
            "id": 60
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "3296",
            "caller": "0x100030be",
            "parentcaller": "0x1000312e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x705a0000"
              },
              {
                "name": "FunctionName",
                "value": "WerReportSubmit"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x705be960"
              }
            ],
            "repeated": 0,
            "id": 61
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "3296",
            "caller": "0x100030cf",
            "parentcaller": "0x1000312e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x705a0000"
              },
              {
                "name": "FunctionName",
                "value": "WerReportAddDump"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x705bea90"
              }
            ],
            "repeated": 0,
            "id": 62
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "3296",
            "caller": "0x100030e0",
            "parentcaller": "0x1000312e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x705a0000"
              },
              {
                "name": "FunctionName",
                "value": "WerReportCloseHandle"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x705bebf0"
              }
            ],
            "repeated": 0,
            "id": 63
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "3296",
            "caller": "0x10002861",
            "parentcaller": "0x10002c2e",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000004b8"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02220000"
              },
              {
                "name": "SectionOffset",
                "value": "0x0019fc0c"
              },
              {
                "name": "ViewSize",
                "value": "0x0000a000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 64
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "3296",
            "caller": "0x10002922",
            "parentcaller": "0x10002c2e",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004b8"
              }
            ],
            "repeated": 0,
            "id": 65
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "3296",
            "caller": "0x10002c4b",
            "parentcaller": "0x10002f39",
            "category": "threading",
            "api": "NtCreateThreadEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x000004b8"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "StartAddress",
                "value": "0x10002bdf"
              },
              {
                "name": "Parameter",
                "value": "0x0019fc84"
              },
              {
                "name": "CreateFlags",
                "value": "0x00000001"
              },
              {
                "name": "ThreadId",
                "value": "4696"
              },
              {
                "name": "ProcessId",
                "value": "3832"
              },
              {
                "name": "Module",
                "value": "dw20.exe"
              }
            ],
            "repeated": 0,
            "id": 66
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "3296",
            "caller": "0x10002c4b",
            "parentcaller": "0x10002f39",
            "category": "threading",
            "api": "CreateThread",
            "status": true,
            "return": "0x000004b8",
            "arguments": [
              {
                "name": "StartRoutine",
                "value": "0x10002bdf"
              },
              {
                "name": "ModuleName",
                "value": "dw20.exe"
              },
              {
                "name": "Parameter",
                "value": "0x0019fc84"
              },
              {
                "name": "CreationFlags",
                "value": "0x00000000"
              },
              {
                "name": "ThreadId",
                "value": "4696"
              }
            ],
            "repeated": 0,
            "id": 67
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "3296",
            "caller": "0x10001b2c",
            "parentcaller": "0x10002c8c",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 68
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "3296",
            "caller": "0x10001b2c",
            "parentcaller": "0x10002c8c",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004c8"
              },
              {
                "name": "Milliseconds",
                "value": "10000"
              }
            ],
            "repeated": 0,
            "id": 69
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "3296",
            "caller": "0x10001b58",
            "parentcaller": "0x10002c8c",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 70
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "3296",
            "caller": "0x10001b58",
            "parentcaller": "0x10002c8c",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              },
              {
                "name": "Milliseconds",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 71
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4696",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2c18",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 2,
            "id": 72
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4696",
            "caller": "0x77ea64d6",
            "parentcaller": "0x77ea63e1",
            "category": "threading",
            "api": "NtTestAlert",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 73
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4696",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 74
          },
          {
            "timestamp": "2026-04-16 20:00:21,799",
            "thread_id": "4696",
            "caller": "0x10002bf4",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "SetThreadStackGuarantee",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "InputSize",
                "value": "5120"
              },
              {
                "name": "OutputSize",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 75
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "3296",
            "caller": "0x10001b85",
            "parentcaller": "0x10002c8c",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004c8"
              }
            ],
            "repeated": 0,
            "id": 76
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "3296",
            "caller": "0x10002c9c",
            "parentcaller": "0x10002f39",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 77
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "3296",
            "caller": "0x10002c9c",
            "parentcaller": "0x10002f39",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004b8"
              },
              {
                "name": "Milliseconds",
                "value": "6666"
              }
            ],
            "repeated": 0,
            "id": 78
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 79
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03cf1000"
              },
              {
                "name": "RegionSize",
                "value": "0x00008000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 80
          },
          {
            "timestamp": "2026-04-16 20:00:21,814",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtDuplicateObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SourceProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "SourceHandle",
                "value": "0x000004cc"
              },
              {
                "name": "TargetProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "TargetHandle",
                "value": "0x00000218"
              },
              {
                "name": "Options",
                "value": "0x00000002"
              }
            ],
            "repeated": 0,
            "id": 81
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00120089",
                "pretty_value": "FILE_GENERIC_READ"
              },
              {
                "name": "FileName",
                "value": "\\Device\\IPT"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 82
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e230"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x00\\x00<\\x08"
              }
            ],
            "repeated": 0,
            "id": 83
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x083c0000"
              },
              {
                "name": "Size",
                "value": "0x00000968"
              },
              {
                "name": "Buffer",
                "value": "h\t\\x00\\x00P\\x00E\\x00B\\x00_\\x00S\\x00I\\x00G\\x00N\\x00A\\x00T\\x00U\\x00R\\x00E\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 84
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys"
              }
            ],
            "repeated": 0,
            "id": 85
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000214"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
              }
            ],
            "repeated": 0,
            "id": 86
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000214"
              },
              {
                "name": "ValueName",
                "value": "Latest"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest"
              }
            ],
            "repeated": 0,
            "id": 87
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000214"
              }
            ],
            "repeated": 0,
            "id": 88
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000214"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\wer.dll.mui"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 89
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000210"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000214"
              },
              {
                "name": "FileName",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\wer.dll.mui"
              }
            ],
            "repeated": 0,
            "id": 90
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000210"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02230000"
              },
              {
                "name": "SectionOffset",
                "value": "0x03dfde50"
              },
              {
                "name": "ViewSize",
                "value": "0x00005000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 91
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000210"
              }
            ],
            "repeated": 0,
            "id": 92
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 93
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 94
          },
          {
            "timestamp": "2026-04-16 20:00:21,830",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000022c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 95
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000230"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000005",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000022c"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 96
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x40000003",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000230"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03e00000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00168000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 97
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000230"
              }
            ],
            "repeated": 0,
            "id": 98
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000022c"
              }
            ],
            "repeated": 0,
            "id": 99
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 100
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03e00000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 101
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 102
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 103
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000022c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 104
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000230"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000005",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000022c"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 105
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x40000003",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000230"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03e00000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00168000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 106
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000230"
              }
            ],
            "repeated": 0,
            "id": 107
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000022c"
              }
            ],
            "repeated": 0,
            "id": 108
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 109
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03e00000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 110
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000000d4"
              },
              {
                "name": "ValueName",
                "value": "000603xx"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "kernel32.dll"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx"
              }
            ],
            "repeated": 0,
            "id": 111
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "kernel32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 112
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "SortGetHandle"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ace880"
              }
            ],
            "repeated": 0,
            "id": 113
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "SortCloseHandle"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ac97e0"
              }
            ],
            "repeated": 0,
            "id": 114
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000022c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 115
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000230"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000022c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\Globalization\\Sorting\\SortDefault.nls"
              }
            ],
            "repeated": 0,
            "id": 116
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000230"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03e00000"
              },
              {
                "name": "SectionOffset",
                "value": "0x03dfe7d4"
              },
              {
                "name": "ViewSize",
                "value": "0x00338000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 117
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000230"
              }
            ],
            "repeated": 0,
            "id": 118
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000022c"
              }
            ],
            "repeated": 0,
            "id": 119
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000022c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids"
              }
            ],
            "repeated": 0,
            "id": 120
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000b"
              },
              {
                "name": "TokenHandle",
                "value": "0x00000230"
              }
            ],
            "repeated": 0,
            "id": 121
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000234"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "bcryptPrimitives.dll"
              }
            ],
            "repeated": 0,
            "id": 122
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000234"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76d80000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x0005f000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 123
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 124
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 125
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76dda000"
              },
              {
                "name": "ModuleName",
                "value": "bcryptPrimitives.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 126
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000234"
              }
            ],
            "repeated": 0,
            "id": 127
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76dda000"
              },
              {
                "name": "ModuleName",
                "value": "bcryptPrimitives.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 128
          },
          {
            "timestamp": "2026-04-16 20:00:21,846",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\System32\\bcryptPrimitives"
              },
              {
                "name": "DllBase",
                "value": "0x76d80000"
              }
            ],
            "repeated": 0,
            "id": 129
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000023c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy"
              }
            ],
            "repeated": 0,
            "id": 130
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000023c"
              },
              {
                "name": "ValueName",
                "value": "STE"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE"
              }
            ],
            "repeated": 0,
            "id": 131
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 132
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000023c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy"
              }
            ],
            "repeated": 0,
            "id": 133
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000023c"
              },
              {
                "name": "ValueName",
                "value": "Enabled"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled"
              }
            ],
            "repeated": 0,
            "id": 134
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000240"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa"
              }
            ],
            "repeated": 0,
            "id": 135
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000240"
              },
              {
                "name": "ValueName",
                "value": "FipsAlgorithmPolicy"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy"
              }
            ],
            "repeated": 0,
            "id": 136
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000023c"
              },
              {
                "name": "ValueName",
                "value": "MDMEnabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled"
              }
            ],
            "repeated": 0,
            "id": 137
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 138
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              }
            ],
            "repeated": 0,
            "id": 139
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration"
              }
            ],
            "repeated": 0,
            "id": 140
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000240"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\Device\\CNG"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 141
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "DeviceIoControl",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DeviceHandle",
                "value": "0x00000240"
              },
              {
                "name": "IoControlCode",
                "value": "0x00390008",
                "pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER"
              },
              {
                "name": "InBuffer",
                "value": ""
              },
              {
                "name": "OutBuffer",
                "value": "IG\\xff\\xfd\\xe5?\\xaa%\\x93\\x12\\xe0\\xd2\\xc8`\\xbe<\\x80\\x162&h\\xd4\\xd5\\xac`F]S17\\x16\\x1e_\\x86\\_\\xd5\\x14\\xcbf\\x99\\xe0be\\xdd4\\x10\\xdf"
              }
            ],
            "repeated": 0,
            "id": 142
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\bcryptprimitives"
              },
              {
                "name": "BaseAddress",
                "value": "0x76d80000"
              },
              {
                "name": "InitRoutine",
                "value": "0x76db36c0"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 143
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x769b1000"
              },
              {
                "name": "ModuleName",
                "value": "RPCRT4.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 144
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x769b1000"
              },
              {
                "name": "ModuleName",
                "value": "RPCRT4.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 145
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "aepic.dll"
              }
            ],
            "repeated": 0,
            "id": 146
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\aepic.dll"
              }
            ],
            "repeated": 0,
            "id": 147
          },
          {
            "timestamp": "2026-04-16 20:00:21,861",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000248"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\aepic.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 148
          },
          {
            "timestamp": "2026-04-16 20:00:22,158",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000024c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000248"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\aepic.dll"
              }
            ],
            "repeated": 0,
            "id": 149
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000024c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70520000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00078000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 150
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70590000"
              },
              {
                "name": "ModuleName",
                "value": "aepic.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 151
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 152
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 153
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7058c000"
              },
              {
                "name": "ModuleName",
                "value": "aepic.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 154
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000210"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "shcore.dll"
              }
            ],
            "repeated": 0,
            "id": 155
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000210"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76f70000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00087000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 156
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76fec000"
              },
              {
                "name": "ModuleName",
                "value": "shcore.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 157
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 158
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 159
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76fe9000"
              },
              {
                "name": "ModuleName",
                "value": "shcore.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 160
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000210"
              }
            ],
            "repeated": 0,
            "id": 161
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "ntmarta.dll"
              }
            ],
            "repeated": 0,
            "id": 162
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "cryptsp.dll"
              }
            ],
            "repeated": 0,
            "id": 163
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 164
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000248"
              }
            ],
            "repeated": 0,
            "id": 165
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76fe9000"
              },
              {
                "name": "ModuleName",
                "value": "shcore.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 166
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x005d4000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 167
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "35"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 168
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\ntmarta.dll"
              }
            ],
            "repeated": 0,
            "id": 169
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000248"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\ntmarta.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 170
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000024c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000248"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\ntmarta.dll"
              }
            ],
            "repeated": 0,
            "id": 171
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000024c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x704f0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00029000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 172
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70515000"
              },
              {
                "name": "ModuleName",
                "value": "ntmarta.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 173
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 174
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 175
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70513000"
              },
              {
                "name": "ModuleName",
                "value": "ntmarta.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 176
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 177
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000248"
              }
            ],
            "repeated": 0,
            "id": 178
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\cryptsp.dll"
              }
            ],
            "repeated": 0,
            "id": 179
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000248"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\cryptsp.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 180
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000024c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000248"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\cryptsp.dll"
              }
            ],
            "repeated": 0,
            "id": 181
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000024c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75280000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00013000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 182
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75290000"
              },
              {
                "name": "ModuleName",
                "value": "cryptsp.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 183
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 184
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 185
          },
          {
            "timestamp": "2026-04-16 20:00:22,174",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7528f000"
              },
              {
                "name": "ModuleName",
                "value": "cryptsp.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 186
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 187
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000248"
              }
            ],
            "repeated": 0,
            "id": 188
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70513000"
              },
              {
                "name": "ModuleName",
                "value": "ntmarta.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 189
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7058c000"
              },
              {
                "name": "ModuleName",
                "value": "aepic.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 190
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "35"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 191
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7528f000"
              },
              {
                "name": "ModuleName",
                "value": "cryptsp.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 192
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\System32\\shcore"
              },
              {
                "name": "DllBase",
                "value": "0x76f70000"
              }
            ],
            "repeated": 0,
            "id": 193
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\ntmarta"
              },
              {
                "name": "DllBase",
                "value": "0x704f0000"
              }
            ],
            "repeated": 0,
            "id": 194
          },
          {
            "timestamp": "2026-04-16 20:00:22,189",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\cryptsp"
              },
              {
                "name": "DllBase",
                "value": "0x75280000"
              }
            ],
            "repeated": 0,
            "id": 195
          },
          {
            "timestamp": "2026-04-16 20:00:22,205",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\aepic"
              },
              {
                "name": "DllBase",
                "value": "0x70520000"
              }
            ],
            "repeated": 0,
            "id": 196
          },
          {
            "timestamp": "2026-04-16 20:00:22,205",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\SHCore"
              },
              {
                "name": "BaseAddress",
                "value": "0x76f70000"
              },
              {
                "name": "InitRoutine",
                "value": "0x76fb2480"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 197
          },
          {
            "timestamp": "2026-04-16 20:00:22,205",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\ntmarta"
              },
              {
                "name": "BaseAddress",
                "value": "0x704f0000"
              },
              {
                "name": "InitRoutine",
                "value": "0x704f7e90"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 198
          },
          {
            "timestamp": "2026-04-16 20:00:22,205",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\cryptsp"
              },
              {
                "name": "BaseAddress",
                "value": "0x75280000"
              },
              {
                "name": "InitRoutine",
                "value": "0x75285d30"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 199
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x005d5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 200
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 201
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 202
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 203
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlGetNtSystemRoot"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e802a0"
              }
            ],
            "repeated": 0,
            "id": 204
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000278"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              }
            ],
            "repeated": 0,
            "id": 205
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000278"
              },
              {
                "name": "ValueName",
                "value": "LogFlags"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\LogFlags"
              }
            ],
            "repeated": 0,
            "id": 206
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000278"
              }
            ],
            "repeated": 0,
            "id": 207
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\OSDATA\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\OSDATA\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              }
            ],
            "repeated": 0,
            "id": 208
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "api-ms-win-eventing-provider-l1-1-0.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              }
            ],
            "repeated": 0,
            "id": 209
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNELBASE.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              },
              {
                "name": "FunctionName",
                "value": "EventSetInformation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e70b80"
              }
            ],
            "repeated": 0,
            "id": 210
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 3,
            "id": 211
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 212
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 213
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "CommercialDataOptIn"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\CommercialDataOptIn"
              }
            ],
            "repeated": 0,
            "id": 214
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 215
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 1,
            "id": 216
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x005d6000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 217
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x005d7000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 218
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\aepic"
              },
              {
                "name": "BaseAddress",
                "value": "0x70520000"
              },
              {
                "name": "InitRoutine",
                "value": "0x70539e50"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 219
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 220
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 221
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 222
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlGetPersistedStateLocation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea5cc0"
              }
            ],
            "repeated": 0,
            "id": 223
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 224
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000024c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              }
            ],
            "repeated": 0,
            "id": 225
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "AmiOverridePath"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "C:\\Windows\\AppCompat\\Programs\\Amcache.hve.tmp"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiOverridePath"
              }
            ],
            "repeated": 0,
            "id": 226
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 227
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\AppCompat\\Programs\\Amcache.hve.tmp"
              }
            ],
            "repeated": 0,
            "id": 228
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 229
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000024c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000002",
                "pretty_value": "KEY_SET_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              }
            ],
            "repeated": 0,
            "id": 230
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtDeleteValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "AmiOverridePath"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiOverridePath"
              }
            ],
            "repeated": 0,
            "id": 231
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 232
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 233
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlGetPersistedStateLocation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea5cc0"
              }
            ],
            "repeated": 0,
            "id": 234
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\AppCompat\\Programs\\Amcache.hve"
              }
            ],
            "repeated": 0,
            "id": 235
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 236
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlGetPersistedStateLocation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea5cc0"
              }
            ],
            "repeated": 0,
            "id": 237
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 238
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000024c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              }
            ],
            "repeated": 0,
            "id": 239
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "AmiOverridePath"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiOverridePath"
              }
            ],
            "repeated": 0,
            "id": 240
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 241
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 242
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlGetPersistedStateLocation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea5cc0"
              }
            ],
            "repeated": 0,
            "id": 243
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 244
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlGetPersistedStateLocation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea5cc0"
              }
            ],
            "repeated": 0,
            "id": 245
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\AppCompat\\Programs\\Amcache.hve"
              }
            ],
            "repeated": 0,
            "id": 246
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 247
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlGetPersistedStateLocation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea5cc0"
              }
            ],
            "repeated": 0,
            "id": 248
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 249
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000024c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              }
            ],
            "repeated": 0,
            "id": 250
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "AmiHivePermissionsCorrect"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiHivePermissionsCorrect"
              }
            ],
            "repeated": 0,
            "id": 251
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 252
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 253
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000024c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              }
            ],
            "repeated": 0,
            "id": 254
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "AmiHiveOwnerCorrect"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiHiveOwnerCorrect"
              }
            ],
            "repeated": 0,
            "id": 255
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 256
          },
          {
            "timestamp": "2026-04-16 20:00:22,346",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 257
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000028"
              },
              {
                "name": "TokenHandle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 258
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 259
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 260
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtLoadKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TrustClassKey",
                "value": "0x00000000"
              },
              {
                "name": "TargetKeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "TargetKeyName",
                "value": "\\REGISTRY\\A\\{46befe72-aa89-2476-03fe-662f81474abf}"
              },
              {
                "name": "TargetKey",
                "value": "\\REGISTRY\\A\\{46befe72-aa89-2476-03fe-662f81474abf}"
              },
              {
                "name": "SourceFile",
                "value": "C:\\Windows\\AppCompat\\Programs\\Amcache.hve"
              },
              {
                "name": "Flags",
                "value": "0x00000010"
              }
            ],
            "repeated": 0,
            "id": 261
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtCreateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000280"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f003f",
                "pretty_value": "KEY_ALL_ACCESS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Root"
              },
              {
                "name": "ObjectAttributes",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "Disposition",
                "value": "2",
                "pretty_value": "REG_OPENED_EXISTING_KEY"
              }
            ],
            "repeated": 0,
            "id": 262
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtCreateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000284"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f003f",
                "pretty_value": "KEY_ALL_ACCESS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000280"
              },
              {
                "name": "ObjectAttributesName",
                "value": "InventoryApplicationFile"
              },
              {
                "name": "ObjectAttributes",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "Disposition",
                "value": "2",
                "pretty_value": "REG_OPENED_EXISTING_KEY"
              }
            ],
            "repeated": 0,
            "id": 263
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 264
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000284"
              },
              {
                "name": "ValueName",
                "value": "WritePermissionsCheck"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Buffer",
                "value": "1"
              },
              {
                "name": "BufferLength",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\WritePermissionsCheck"
              }
            ],
            "repeated": 0,
            "id": 265
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtCreateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f003f",
                "pretty_value": "KEY_ALL_ACCESS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000284"
              },
              {
                "name": "ObjectAttributesName",
                "value": "PermissionsCheckTestKey"
              },
              {
                "name": "ObjectAttributes",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\PermissionsCheckTestKey"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "Disposition",
                "value": "1",
                "pretty_value": "REG_CREATED_NEW_KEY"
              }
            ],
            "repeated": 0,
            "id": 266
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 267
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "RegDeleteKeyW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000284"
              },
              {
                "name": "SubKey",
                "value": "PermissionsCheckTestKey"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\PermissionsCheckTestKey"
              }
            ],
            "repeated": 0,
            "id": 268
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000284"
              },
              {
                "name": "ValueName",
                "value": "ProviderVersion"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\ProviderVersion"
              }
            ],
            "repeated": 0,
            "id": 269
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "23"
              },
              {
                "name": "ThreadInformation",
                "value": "\\xa9oz\\x08\\x00\\x00\\x00\\x00%\\x8e3\\xee\\xa7\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4696"
              }
            ],
            "repeated": 0,
            "id": 270
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x005d8000"
              },
              {
                "name": "RegionSize",
                "value": "0x00011000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 271
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 272
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlAreLongPathsEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea4e30"
              }
            ],
            "repeated": 0,
            "id": 273
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02243000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 274
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenDirectoryObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "DirectoryHandle",
                "value": "0x0000027c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "FILE_READ_ACCESS"
              },
              {
                "name": "ObjectAttributes",
                "value": "C:\\??"
              }
            ],
            "repeated": 0,
            "id": 275
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000294"
              }
            ],
            "repeated": 0,
            "id": 276
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 277
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 278
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 279
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlGetPersistedStateLocation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea5cc0"
              }
            ],
            "repeated": 0,
            "id": 280
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 281
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              }
            ],
            "repeated": 0,
            "id": 282
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "AmiOverridePath"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiOverridePath"
              }
            ],
            "repeated": 0,
            "id": 283
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 284
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 285
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlGetPersistedStateLocation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea5cc0"
              }
            ],
            "repeated": 0,
            "id": 286
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\AppCompat\\Programs\\Amcache.hve"
              }
            ],
            "repeated": 0,
            "id": 287
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 288
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlGetPersistedStateLocation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea5cc0"
              }
            ],
            "repeated": 0,
            "id": 289
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 290
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              }
            ],
            "repeated": 0,
            "id": 291
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "AmiOverridePath"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiOverridePath"
              }
            ],
            "repeated": 0,
            "id": 292
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 293
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 294
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlGetPersistedStateLocation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea5cc0"
              }
            ],
            "repeated": 0,
            "id": 295
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 296
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlGetPersistedStateLocation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea5cc0"
              }
            ],
            "repeated": 0,
            "id": 297
          },
          {
            "timestamp": "2026-04-16 20:00:22,361",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\AppCompat\\Programs\\Amcache.hve"
              }
            ],
            "repeated": 0,
            "id": 298
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 299
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlGetPersistedStateLocation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea5cc0"
              }
            ],
            "repeated": 0,
            "id": 300
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 301
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              }
            ],
            "repeated": 0,
            "id": 302
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "AmiHivePermissionsCorrect"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiHivePermissionsCorrect"
              }
            ],
            "repeated": 0,
            "id": 303
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 304
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 305
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags"
              }
            ],
            "repeated": 0,
            "id": 306
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "AmiHiveOwnerCorrect"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiHiveOwnerCorrect"
              }
            ],
            "repeated": 0,
            "id": 307
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 308
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 309
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000028"
              },
              {
                "name": "TokenHandle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 310
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 311
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 312
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtLoadKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TrustClassKey",
                "value": "0x00000000"
              },
              {
                "name": "TargetKeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "TargetKeyName",
                "value": "\\REGISTRY\\A\\{d7108e4b-2f2d-26a2-631e-cc56ec80dae0}"
              },
              {
                "name": "TargetKey",
                "value": "\\REGISTRY\\A\\{d7108e4b-2f2d-26a2-631e-cc56ec80dae0}"
              },
              {
                "name": "SourceFile",
                "value": "C:\\Windows\\AppCompat\\Programs\\Amcache.hve"
              },
              {
                "name": "Flags",
                "value": "0x00000010"
              }
            ],
            "repeated": 0,
            "id": 313
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtCreateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000294"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f003f",
                "pretty_value": "KEY_ALL_ACCESS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Root"
              },
              {
                "name": "ObjectAttributes",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "Disposition",
                "value": "2",
                "pretty_value": "REG_OPENED_EXISTING_KEY"
              }
            ],
            "repeated": 0,
            "id": 314
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtCreateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000298"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f003f",
                "pretty_value": "KEY_ALL_ACCESS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000294"
              },
              {
                "name": "ObjectAttributesName",
                "value": "InventoryApplicationFile"
              },
              {
                "name": "ObjectAttributes",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "Disposition",
                "value": "2",
                "pretty_value": "REG_OPENED_EXISTING_KEY"
              }
            ],
            "repeated": 0,
            "id": 315
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 316
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000298"
              },
              {
                "name": "ValueName",
                "value": "WritePermissionsCheck"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Buffer",
                "value": "1"
              },
              {
                "name": "BufferLength",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\WritePermissionsCheck"
              }
            ],
            "repeated": 0,
            "id": 317
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtCreateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f003f",
                "pretty_value": "KEY_ALL_ACCESS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000298"
              },
              {
                "name": "ObjectAttributesName",
                "value": "PermissionsCheckTestKey"
              },
              {
                "name": "ObjectAttributes",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\PermissionsCheckTestKey"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "Disposition",
                "value": "1",
                "pretty_value": "REG_CREATED_NEW_KEY"
              }
            ],
            "repeated": 0,
            "id": 318
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 319
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "RegDeleteKeyW",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000298"
              },
              {
                "name": "SubKey",
                "value": "PermissionsCheckTestKey"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\PermissionsCheckTestKey"
              }
            ],
            "repeated": 0,
            "id": 320
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000298"
              },
              {
                "name": "ValueName",
                "value": "ProviderVersion"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\ProviderVersion"
              }
            ],
            "repeated": 0,
            "id": 321
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "kernel32"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 322
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "IsWow64Process2"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77266cd0"
              }
            ],
            "repeated": 0,
            "id": 323
          },
          {
            "timestamp": "2026-04-16 20:00:22,377",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000298"
              },
              {
                "name": "ObjectAttributesName",
                "value": "nanocore.exe|3a2172e6e43654d1"
              },
              {
                "name": "ObjectAttributes",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1"
              }
            ],
            "repeated": 0,
            "id": 324
          },
          {
            "timestamp": "2026-04-16 20:00:22,455",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000027c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 325
          },
          {
            "timestamp": "2026-04-16 20:00:22,455",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000027c"
              },
              {
                "name": "HandleName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "FileInformationClass",
                "value": "5",
                "pretty_value": "FileStandardInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x00\\x10\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x16\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 1,
            "id": 326
          },
          {
            "timestamp": "2026-04-16 20:00:22,471",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000024c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000027c"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 327
          },
          {
            "timestamp": "2026-04-16 20:00:22,471",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000024c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7fce0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00161000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 328
          },
          {
            "timestamp": "2026-04-16 20:00:22,471",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 329
          },
          {
            "timestamp": "2026-04-16 20:00:22,471",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 330
          },
          {
            "timestamp": "2026-04-16 20:00:22,518",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\sfc"
              },
              {
                "name": "DllBase",
                "value": "0x66680000"
              }
            ],
            "repeated": 0,
            "id": 331
          },
          {
            "timestamp": "2026-04-16 20:00:22,518",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "sfc.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x66680000"
              }
            ],
            "repeated": 0,
            "id": 332
          },
          {
            "timestamp": "2026-04-16 20:00:22,564",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\sfc_os"
              },
              {
                "name": "DllBase",
                "value": "0x704e0000"
              }
            ],
            "repeated": 0,
            "id": 333
          },
          {
            "timestamp": "2026-04-16 20:00:22,564",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "sfc.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x66680000"
              },
              {
                "name": "FunctionName",
                "value": "SfcIsFileProtected"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x704e4050"
              }
            ],
            "repeated": 0,
            "id": 334
          },
          {
            "timestamp": "2026-04-16 20:00:22,564",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlDosPathNameToNtPathName_U",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DosFileName",
                "value": "c:\\users\\cape\\appdata\\local\\temp\\nanocore.exe"
              }
            ],
            "repeated": 0,
            "id": 335
          },
          {
            "timestamp": "2026-04-16 20:00:22,564",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00120089",
                "pretty_value": "FILE_GENERIC_READ"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\WinSxS\\FileMaps\\users_cape_appdata_local_temp_4cb87852de49944d.cdf-ms"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              }
            ],
            "repeated": 0,
            "id": 336
          },
          {
            "timestamp": "2026-04-16 20:00:22,564",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000210"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "SETUPAPI.dll"
              }
            ],
            "repeated": 0,
            "id": 337
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000210"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76180000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00439000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 338
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7625a000"
              },
              {
                "name": "ModuleName",
                "value": "SETUPAPI.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 339
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 340
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 341
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76256000"
              },
              {
                "name": "ModuleName",
                "value": "SETUPAPI.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 342
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000228"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "cfgmgr32.dll"
              }
            ],
            "repeated": 0,
            "id": 343
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000228"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77480000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x0003b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 344
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x774b7000"
              },
              {
                "name": "ModuleName",
                "value": "cfgmgr32.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 345
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 346
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 347
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x774b5000"
              },
              {
                "name": "ModuleName",
                "value": "cfgmgr32.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 348
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000228"
              }
            ],
            "repeated": 0,
            "id": 349
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000210"
              }
            ],
            "repeated": 0,
            "id": 350
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x774b5000"
              },
              {
                "name": "ModuleName",
                "value": "cfgmgr32.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 351
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76256000"
              },
              {
                "name": "ModuleName",
                "value": "SETUPAPI.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 352
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\System32\\cfgmgr32"
              },
              {
                "name": "DllBase",
                "value": "0x77480000"
              }
            ],
            "repeated": 0,
            "id": 353
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\System32\\SETUPAPI"
              },
              {
                "name": "DllBase",
                "value": "0x76180000"
              }
            ],
            "repeated": 0,
            "id": 354
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000029c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80000000",
                "pretty_value": "GENERIC_READ"
              },
              {
                "name": "FileName",
                "value": "\\Device\\DeviceApi\\CMApi"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "0"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 355
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 356
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\cfgmgr32"
              },
              {
                "name": "BaseAddress",
                "value": "0x77480000"
              },
              {
                "name": "InitRoutine",
                "value": "0x7748d450"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 357
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ac"
              },
              {
                "name": "MutexName",
                "value": ""
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 358
          },
          {
            "timestamp": "2026-04-16 20:00:22,580",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b4"
              },
              {
                "name": "MutexName",
                "value": ""
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 359
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 360
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\setupapi"
              },
              {
                "name": "BaseAddress",
                "value": "0x76180000"
              },
              {
                "name": "InitRoutine",
                "value": "0x761af790"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 361
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x704ec000"
              },
              {
                "name": "ModuleName",
                "value": "sfc_os.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 362
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x704ec000"
              },
              {
                "name": "ModuleName",
                "value": "sfc_os.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 363
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 364
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "software\\microsoft\\windows\\currentversion\\setup\\PnpLockdownFiles"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\setup\\PnpLockdownFiles"
              }
            ],
            "repeated": 0,
            "id": 365
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "%SystemDrive%/users/cape/appdata/local/temp/nanocore.exe"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\PnpLockdownFiles\\%SystemDrive%/users/cape/appdata/local/temp/nanocore.exe"
              }
            ],
            "repeated": 0,
            "id": 366
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 367
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\system32\\rsaenh"
              },
              {
                "name": "DllBase",
                "value": "0x74c10000"
              }
            ],
            "repeated": 0,
            "id": 368
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\rsaenh.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x74c10000"
              }
            ],
            "repeated": 0,
            "id": 369
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "crypto",
            "api": "CryptAcquireContextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Container",
                "value": ""
              },
              {
                "name": "Provider",
                "value": "Microsoft Base Cryptographic Provider v1.0"
              },
              {
                "name": "Flags",
                "value": "0xf0000000"
              }
            ],
            "repeated": 0,
            "id": 370
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\bcryptprimitives.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x76d80000"
              }
            ],
            "repeated": 0,
            "id": 371
          },
          {
            "timestamp": "2026-04-16 20:00:22,596",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "crypto",
            "api": "CryptCreateHash",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "Algid",
                "value": "0x00008004",
                "pretty_value": "SHA1"
              },
              {
                "name": "CryptKey",
                "value": "0x00000000"
              },
              {
                "name": "Hash object",
                "value": "0x005c77e0"
              }
            ],
            "repeated": 0,
            "id": 372
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "crypto",
            "api": "CryptHashData",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "CryptHash",
                "value": "0x005c77e0"
              },
              {
                "name": "Buffer",
                "value": "MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x0e\\x1f\\xba\\x0e\\x00\\xb4\t\\xcd!\\xb8\\x01L\\xcd!This program cannot be run in DOS mode.\r\r\n$\\x00\\x00\\x00\\x00\\x00\\x00\\x00PE\\x00\\x00L\\x01\\x04\\x00\t\\x9d\\x93U\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x00\\x0e\\x01\\x0b\\x01\\x06\\x00\\x00\\xb2\\x15\\x00\\x00N\\x00\\x00\\x00\\x00\\x00\\x00\\xce\\xd0\\x15\\x00\\x00 \\x00\\x00\\x00\\xe0\\x15\\x00\\x00\\x00@\\x00\\x00 \\x00\\x00\\x00\\x02\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xd0\\x15\\x00K\\x00\\x00\\x00\\x00\\x00\\x16\\x00\\xd8I\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x16\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08 \\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00.text\\x00\\x00\\x00\\xd4\\xb0\\x15\\x00\\x00 \\x00\\x00\\x00\\xb2\\x15\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00`.sdata\\x00\\x00\\xe8\\x01\\x00\\x00\\x00\\xe0\\x15\\x00\\x00\\x02\\x00\\x00\\x00\\xb6\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\xc0.rsrc\\x00\\x00\\x00\\xd8I\\x00\\x00\\x00\\x00\\x16\\x00\\x00J\\x00\\x00\\x00\\xb8\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00@.reloc\\x00\\x00\\x0c\\x00\\x00\\x00\\x00`\\x16\\x00\\x00\\x02\\x00\\x00\\x00\\x02\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00B\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xd0\\x15\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x02\\x00\\x05\\x00\\x8c\\x90\\x02\\x00\\xbe\\x1c\\x06\\x00\\x03\\x00\\x00\\x004\\x17\\x00\\x06J\\xad\\x08\\x00+#\r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1a(\\xcd \\x00\\x06*\\x00\\x1a(\\xcd \\x00\\x06*\\x00\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00*\\x130\\x03\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\xa5/\\x00\\x00\\x01*\\x030\\x08\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00*\\x01\\x10\\x00\\x00\\x02\\x00\\x15\\x00\\x94\\xa9\\x00\\x17\\x00\\x00\\x00\\x00\\x12\\x00\\x00\\x17*\\x00\\x00\\x00\\x12\\x00\\x00\\x00*\\x00\\x00\\x00\\x12\\x00\\x00\\x00*\\x00\\x00\\x00\\x130\\x03\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00*\\x12\\x00\\x00\\x16*\\x00\\x00\\x00\\x12\\x00\\x00\\x00*\\x00\\x00\\x00\\x130\\x03\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00*\\x130\\x03\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00*\\x130\\x05\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00*\\x130\\x05\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00*\\x12\\x00\\x00\\x00*\\x00\\x00\\x00\\x12\\x00\\x00\\x00*\\x00\\x00\\x00\"\\x00\\x14\\xa5/\\x00\\x00\\x01*\\x00\\x00\\x00\\x12\\x00\\x00\\x00*\\x00\\x00\\x00\\x12\\x00\\x00\\x17*\\x00\\x00\\x00\\x12\\x00\\x00\\x17*\\x00\\x00\\x00\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x12\\x00\\x00\\x00*\\x00\\x00\\x00\\x12\\x00\\x00\\x17*\\x00\\x00\\x00\\x12\\x00\\x00\\x00*\\x00\\x00\\x00\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x12\\x00\\x00\\x00*\\x00\\x00\\x00\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x12\\x00\\x00\\x00*\\x00\\x00\\x00\\x12\\x00\\x00\\x00*\\x00\\x00\\x00\\x12\\x00\\x00\\x16*\\x00\\x00\\x00\\x12\\x00\\x00\\x17*\\x00\\x00\\x00\\x12\\x00\\x00\\x00*\\x00\\x00\\x00\\x12\\x00\\x00\\x00*\\x00\\x00\\x00\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x12\\x00\\x00\\x17*\\x00\\x00\\x00\"\\x00\\x14\\xa57\\x00\\x00\\x01*\\x00\\x00\\x00\\x12\\x00\\x00\\x00*\\x00\\x00\\x00\\x12\\x00\\x00\\x00*\\x00\\x00\\x00\\x1a(\\xcd \\x00\\x06*\\x00\\x130\\x03\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x12\\x00\\x00\\x00*\\x00\\x00\\x00\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x130\\x04\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14*\\x12\\x00\\x00\\x14*\\x00\\x00\\x00.(\\xcd \\x00\\x06(U\\x00\\x00\\x06*\\x12\\x00\\x00\\x17*\\x00\\x00\\x00\"\\x00\\x14\\xa5E\\x00\\x00\\x01*\\x00\\x00\\x00\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x12\\x00\\x00\\x17*\\x00\\x00\\x00\\x12\\x00\\x00\\x17*\\x00\\x00\\x00\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x12\\x00\\x00\\x14*\\x00\\x00\\x00\\x12\\x00\\x00\\x00*\\x00\\x00\\x00\\x130\\x03\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00*\\x030\\x08\\x00"
              },
              {
                "name": "Length",
                "value": "1442816"
              }
            ],
            "repeated": 0,
            "id": 373
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c7220",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0x57b0ced7"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01dcacc6"
              }
            ],
            "repeated": 0,
            "id": 374
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 375
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlDosPathNameToNtPathName_U",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DosFileName",
                "value": "c:\\users\\cape\\appdata\\local\\temp\\nanocore.exe"
              }
            ],
            "repeated": 0,
            "id": 376
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00120089",
                "pretty_value": "FILE_GENERIC_READ"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\WinSxS\\FileMaps\\users_cape_appdata_local_temp_4cb87852de49944d.cdf-ms"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              }
            ],
            "repeated": 0,
            "id": 377
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 378
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "software\\microsoft\\windows\\currentversion\\setup\\PnpLockdownFiles"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\setup\\PnpLockdownFiles"
              }
            ],
            "repeated": 0,
            "id": 379
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ObjectAttributesName",
                "value": "%SystemDrive%/users/cape/appdata/local/temp/nanocore.exe"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\PnpLockdownFiles\\%SystemDrive%/users/cape/appdata/local/temp/nanocore.exe"
              }
            ],
            "repeated": 0,
            "id": 380
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 381
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 382
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 383
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7fce0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00161000"
              }
            ],
            "repeated": 0,
            "id": 384
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000024c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 385
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "DeviceIoControl",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DeviceHandle",
                "value": "0x0000024c"
              },
              {
                "name": "IoControlCode",
                "value": "0x000900eb"
              },
              {
                "name": "InBuffer",
                "value": ""
              },
              {
                "name": "OutBuffer",
                "value": "X\\x00\\x00\\x00\\x02\\x00\\x00\\x00l\\x04\\x00\\x00\\x00\\x00\\x02\\x00\\x05\\xa2\\x01\\x00\\x00\\x00\\x02\\x008\\xe8\\x1d\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x18\\x00<\\x00N\\x00a\\x00n\\x00o\\x00C\\x00o\\x00r\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 386
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 387
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000298"
              },
              {
                "name": "KeyInformation",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile"
              },
              {
                "name": "KeyInformationClass",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 388
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              },
              {
                "name": "MutexName",
                "value": "Global\\AmiProviderMutex_InventoryApplicationFile"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 389
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 390
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              },
              {
                "name": "Milliseconds",
                "value": "1000"
              }
            ],
            "repeated": 0,
            "id": 391
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000298"
              },
              {
                "name": "ValueName",
                "value": "ProviderSyncId"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "{57852d72-bcea-4e97-b753-abb8f58c9301}"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\ProviderSyncId"
              }
            ],
            "repeated": 0,
            "id": 392
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 393
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 394
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "ApiSetQueryApiSetPresence"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea6da0"
              }
            ],
            "repeated": 0,
            "id": 395
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "NtQuerySystemInformation",
            "status": false,
            "return": "0xffffffffc0000023",
            "pretty_return": "BUFFER_TOO_SMALL",
            "arguments": [
              {
                "name": "SystemInformationClass",
                "value": "76"
              }
            ],
            "repeated": 0,
            "id": 396
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "NtQuerySystemInformation",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemInformationClass",
                "value": "76"
              }
            ],
            "repeated": 0,
            "id": 397
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000027c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 398
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "DeviceIoControl",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DeviceHandle",
                "value": "0x0000027c"
              },
              {
                "name": "IoControlCode",
                "value": "0x00560000",
                "pretty_value": "IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS"
              },
              {
                "name": "InBuffer",
                "value": ""
              },
              {
                "name": "OutBuffer",
                "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xff\\x18\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 399
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 400
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000027c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\PhysicalDrive0"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 401
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "DeviceIoControl",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DeviceHandle",
                "value": "0x0000027c"
              },
              {
                "name": "IoControlCode",
                "value": "0x002d1400",
                "pretty_value": "IOCTL_STORAGE_QUERY_PROPERTY"
              },
              {
                "name": "InBuffer",
                "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x161w"
              },
              {
                "name": "OutBuffer",
                "value": "(\\x00\\x00\\x00\\x8c\\x01\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 402
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "DeviceIoControl",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DeviceHandle",
                "value": "0x0000027c"
              },
              {
                "name": "IoControlCode",
                "value": "0x002d1400",
                "pretty_value": "IOCTL_STORAGE_QUERY_PROPERTY"
              },
              {
                "name": "InBuffer",
                "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x161w"
              },
              {
                "name": "OutBuffer",
                "value": "(\\x00\\x00\\x00\\x8c\\x01\\x00\\x00\\x00\\x00\\x00\\x01(\\x00\\x00\\x001\\x00\\x00\\x00B\\x00\\x00\\x00G\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Red Hat \\x00VirtIO\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 403
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 404
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000001b8"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\KsecDD"
              },
              {
                "name": "IoControlCode",
                "value": "0x00390400"
              },
              {
                "name": "InputBuffer",
                "value": "M<+\\x1a\\x00\\x00\\x02\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00;\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00S\\x00H\\x00A\\x001\\x00\\x00\\x00\\x00\\x00\\xb4\\xd12wM\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00 \\x00P\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00 \\x00P\\x00r\\x00o\\x00v\\x00i\\x00d\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00A\\x001\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xffS\\x00H\\x00A\\x001\\x00\\x00\\x00m\\x00i\\x00t\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00 \\x00P\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00 \\x00P\\x00r\\x00o\\x00v\\x00i\\x00d\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x00c\\x00r\\x00y\\x00p\\x00t\\x00p\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 405
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "bcryptPrimitives.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76d80000"
              },
              {
                "name": "FunctionName",
                "value": "GetHashInterface"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76d95880"
              }
            ],
            "repeated": 0,
            "id": 406
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f003f",
                "pretty_value": "KEY_ALL_ACCESS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000298"
              },
              {
                "name": "ObjectAttributesName",
                "value": "nanocore.exe|3a2172e6e43654d1"
              },
              {
                "name": "ObjectAttributes",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1"
              }
            ],
            "repeated": 0,
            "id": 407
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtCreateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f003f",
                "pretty_value": "KEY_ALL_ACCESS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000298"
              },
              {
                "name": "ObjectAttributesName",
                "value": "nanocore.exe|3a2172e6e43654d1"
              },
              {
                "name": "ObjectAttributes",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1"
              },
              {
                "name": "Class",
                "value": ""
              },
              {
                "name": "Disposition",
                "value": "1",
                "pretty_value": "REG_CREATED_NEW_KEY"
              }
            ],
            "repeated": 0,
            "id": 408
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "ProgramId"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Buffer",
                "value": "00067c4da96f7a7a41962abd02591e90dbfa00000000"
              },
              {
                "name": "BufferLength",
                "value": "90"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\ProgramId"
              }
            ],
            "repeated": 0,
            "id": 409
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "FileId"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Buffer",
                "value": "0000be64732f46c8a26a5bbf9d7f69c7f031b2c5180b"
              },
              {
                "name": "BufferLength",
                "value": "90"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\FileId"
              }
            ],
            "repeated": 0,
            "id": 410
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "LowerCaseLongPath"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Buffer",
                "value": "c:\\users\\cape\\appdata\\local\\temp\\nanocore.exe"
              },
              {
                "name": "BufferLength",
                "value": "92"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\LowerCaseLongPath"
              }
            ],
            "repeated": 0,
            "id": 411
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "LongPathHash"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Buffer",
                "value": "nanocore.exe|3a2172e6e43654d1"
              },
              {
                "name": "BufferLength",
                "value": "92"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\LongPathHash"
              }
            ],
            "repeated": 0,
            "id": 412
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "Name"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Buffer",
                "value": "NanoCore.exe"
              },
              {
                "name": "BufferLength",
                "value": "26"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Name"
              }
            ],
            "repeated": 0,
            "id": 413
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "OriginalFileName"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Buffer",
                "value": "nanocore.exe"
              },
              {
                "name": "BufferLength",
                "value": "26"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\OriginalFileName"
              }
            ],
            "repeated": 0,
            "id": 414
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "Publisher"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Buffer",
                "value": ""
              },
              {
                "name": "BufferLength",
                "value": "2"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Publisher"
              }
            ],
            "repeated": 0,
            "id": 415
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "Version"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Buffer",
                "value": "1.2.2.0"
              },
              {
                "name": "BufferLength",
                "value": "16"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Version"
              }
            ],
            "repeated": 0,
            "id": 416
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "BinFileVersion"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Buffer",
                "value": "1.2.2.0"
              },
              {
                "name": "BufferLength",
                "value": "16"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\BinFileVersion"
              }
            ],
            "repeated": 0,
            "id": 417
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "BinaryType"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Buffer",
                "value": "pe32_clr_32"
              },
              {
                "name": "BufferLength",
                "value": "24"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\BinaryType"
              }
            ],
            "repeated": 0,
            "id": 418
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "ProductName"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Buffer",
                "value": ""
              },
              {
                "name": "BufferLength",
                "value": "2"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\ProductName"
              }
            ],
            "repeated": 0,
            "id": 419
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "ProductVersion"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Buffer",
                "value": "1.2.2.0"
              },
              {
                "name": "BufferLength",
                "value": "16"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\ProductVersion"
              }
            ],
            "repeated": 0,
            "id": 420
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "LinkDate"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Buffer",
                "value": "07/01/2015 07:55:53"
              },
              {
                "name": "BufferLength",
                "value": "40"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\LinkDate"
              }
            ],
            "repeated": 0,
            "id": 421
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "BinProductVersion"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Buffer",
                "value": "1.2.2.0"
              },
              {
                "name": "BufferLength",
                "value": "16"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\BinProductVersion"
              }
            ],
            "repeated": 0,
            "id": 422
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "AppxPackageFullName"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Buffer",
                "value": ""
              },
              {
                "name": "BufferLength",
                "value": "2"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\AppxPackageFullName"
              }
            ],
            "repeated": 0,
            "id": 423
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "AppxPackageRelativeId"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Buffer",
                "value": ""
              },
              {
                "name": "BufferLength",
                "value": "2"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\AppxPackageRelativeId"
              }
            ],
            "repeated": 0,
            "id": 424
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "Size"
              },
              {
                "name": "Type",
                "value": "11"
              },
              {
                "name": "Buffer",
                "value": "\\x00\\x04\\x16\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "BufferLength",
                "value": "8"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Size"
              }
            ],
            "repeated": 0,
            "id": 425
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "Language"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Buffer",
                "value": "0"
              },
              {
                "name": "BufferLength",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Language"
              }
            ],
            "repeated": 0,
            "id": 426
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtSetValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "Usn"
              },
              {
                "name": "Type",
                "value": "11"
              },
              {
                "name": "Buffer",
                "value": "8\\xe8\\x1d\\x04\\x00\\x00\\x00\\x00"
              },
              {
                "name": "BufferLength",
                "value": "8"
              },
              {
                "name": "FullName",
                "value": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Usn"
              }
            ],
            "repeated": 0,
            "id": 427
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 428
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": false,
            "return": "0xffffffffc0000135",
            "pretty_return": "DLL_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "wdscore.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x000c000b"
              }
            ],
            "repeated": 0,
            "id": 429
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "23"
              },
              {
                "name": "ThreadInformation",
                "value": "p!S\\x12\\x00\\x00\\x00\\x00C\"\\x17\\x16\\xa8\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4696"
              }
            ],
            "repeated": 0,
            "id": 430
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000294"
              }
            ],
            "repeated": 0,
            "id": 431
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000298"
              }
            ],
            "repeated": 0,
            "id": 432
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10002aeb",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 433
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10001e35",
            "parentcaller": "0x10002b5a",
            "category": "threading",
            "api": "NtOpenThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x0000024c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x001f03ff",
                "pretty_value": "THREAD_ALL_ACCESS"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "ThreadId",
                "value": "18446744073509798911"
              }
            ],
            "repeated": 0,
            "id": 434
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 435
          },
          {
            "timestamp": "2026-04-16 20:00:22,611",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              }
            ],
            "repeated": 0,
            "id": 436
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 437
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              }
            ],
            "repeated": 0,
            "id": 438
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 439
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              }
            ],
            "repeated": 0,
            "id": 440
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 441
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              }
            ],
            "repeated": 0,
            "id": 442
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 443
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              }
            ],
            "repeated": 0,
            "id": 444
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 445
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              }
            ],
            "repeated": 0,
            "id": 446
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 447
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              }
            ],
            "repeated": 0,
            "id": 448
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "system",
            "api": "NtDuplicateObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SourceProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "SourceHandle",
                "value": "0x000004cc"
              },
              {
                "name": "TargetProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "TargetHandle",
                "value": "0x00000298"
              },
              {
                "name": "Options",
                "value": "0x00000002"
              }
            ],
            "repeated": 0,
            "id": 449
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "system",
            "api": "NtDuplicateObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SourceProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "SourceHandle",
                "value": "0x0000024c"
              },
              {
                "name": "TargetProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "TargetHandle",
                "value": "0x00000294"
              },
              {
                "name": "Options",
                "value": "0x00000002"
              }
            ],
            "repeated": 0,
            "id": 450
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x00000294"
              },
              {
                "name": "ThreadInformationClass",
                "value": "0",
                "pretty_value": "ThreadBasicInformation"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x03\\x01\\x00\\x00\\x00\\xf0\\xe4\\x00\\x04\\x1e\\x00\\x00|\\x0f\\x00\\x00\\x03\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "3964"
              }
            ],
            "repeated": 0,
            "id": 451
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000298"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e230"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x00\\x00<\\x08"
              }
            ],
            "repeated": 0,
            "id": 452
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000298"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x083c0000"
              },
              {
                "name": "Size",
                "value": "0x00000968"
              },
              {
                "name": "Buffer",
                "value": "h\t\\x00\\x00P\\x00E\\x00B\\x00_\\x00S\\x00I\\x00G\\x00N\\x00A\\x00T\\x00U\\x00R\\x00E\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 453
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000298"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x0839db6c"
              },
              {
                "name": "Size",
                "value": "0x00000008"
              },
              {
                "name": "Buffer",
                "value": "\\xe8\\xdd9\\x088\\xde9\\x08"
              }
            ],
            "repeated": 0,
            "id": 454
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001f4d",
            "parentcaller": "0x10002b5a",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000298"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x0839dde8"
              },
              {
                "name": "Size",
                "value": "0x00000050"
              },
              {
                "name": "Buffer",
                "value": "MOC\\xe0\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x12\\xcc'w\\x01\\x00\\x00\\x00\\x02\\x00\\x07\\x80\\xc0s2\\x01,\\xe39\\x08\\x00\\x10\\xber9\\x00\\x00\\x02\\xd0\\xe29\\x08\\x87\\xf4~s\\xd8\\xe29\\x089\\x00\\x00\\x02\\xdc\\xe29\\x08\\xfb\\xfb~s\\xc4/\\xe5r\\xec\\xe29\\x08?\\xe3\\x8ds \\x96\\xe3r"
              }
            ],
            "repeated": 0,
            "id": 455
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10001fe2",
            "parentcaller": "0x10002b5a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 456
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 457
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              }
            ],
            "repeated": 0,
            "id": 458
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 459
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\SysprepLock"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\SysprepLock"
              }
            ],
            "repeated": 0,
            "id": 460
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 461
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000024c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 462
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "MachineID"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineID"
              }
            ],
            "repeated": 0,
            "id": 463
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "MachineID"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "{DEA0B215-B8D4-44C0-B1F3-E3A7DA9D6FC6}"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineID"
              }
            ],
            "repeated": 0,
            "id": 464
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 465
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03cf9000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 466
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03cfb000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 467
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000024c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000009",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"
              }
            ],
            "repeated": 0,
            "id": 468
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000024c"
              },
              {
                "name": "ValueName",
                "value": "ResourcePolicies"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies"
              }
            ],
            "repeated": 0,
            "id": 469
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 470
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x039d0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00008000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 471
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x039d0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 472
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              },
              {
                "name": "MutexName",
                "value": "Global\\64f40b16-8815-4ee8-8a70-3b6c64161d57"
              },
              {
                "name": "InitialOwner",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 473
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 474
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              },
              {
                "name": "Milliseconds",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 475
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 476
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 477
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 478
          },
          {
            "timestamp": "2026-04-16 20:00:22,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "10"
              },
              {
                "name": "TokenInformation",
                "value": "\\xfc\\x07\\x13\\x00\\x00\\x00\\x00\\x00\\xcc\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xaeV\\x13\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 479
          },
          {
            "timestamp": "2026-04-16 20:00:22,643",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "__notification__",
            "api": "sysenter",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadIdentifier",
                "value": "4696"
              },
              {
                "name": "Module",
                "value": "KERNELBASE.dll"
              },
              {
                "name": "Return Address",
                "value": "0x772833ec"
              }
            ],
            "repeated": 0,
            "id": 480
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 481
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "ru-RU"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU"
              }
            ],
            "repeated": 0,
            "id": 482
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 483
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 484
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ValueName",
                "value": "ru-RU"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU"
              }
            ],
            "repeated": 0,
            "id": 485
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000027c"
              }
            ],
            "repeated": 0,
            "id": 486
          },
          {
            "timestamp": "2026-04-16 20:00:22,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "GetUserDefaultLCID",
            "status": true,
            "return": "0x00000419",
            "arguments": [
              {
                "name": "SystemDefaultLangID",
                "value": "0x00000419"
              },
              {
                "name": "LanguageName",
                "value": "Russian"
              }
            ],
            "repeated": 0,
            "id": 487
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 488
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "1"
              },
              {
                "name": "TokenInformation",
                "value": " \\xf3\\xdf\\x03\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00\\xf8\\xbd\\x0bt\\xc8M\\x13t$\\xfdv\\x02xZ\\x0et\\xc4\\xf3\\xdf\\x03d\\xff\\xdf\\x034\\xf3\\xdf\\x03\\xc0\\x00\\xcf\\x03c{:u\\xb8\\xee\\xdf\\x03\\xd3\\xdc\\xe8\\x02"
              }
            ],
            "repeated": 0,
            "id": 489
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000027c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000",
                "pretty_value": "MAXIMUM_ALLOWED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER"
              }
            ],
            "repeated": 0,
            "id": 490
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 491
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 492
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 493
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 494
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "NewUserDefaultConsent"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\NewUserDefaultConsent"
              }
            ],
            "repeated": 0,
            "id": 495
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 496
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 497
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 498
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 499
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 500
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontSendAdditionalData"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData"
              }
            ],
            "repeated": 0,
            "id": 501
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "Disabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled"
              }
            ],
            "repeated": 0,
            "id": 502
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "Disabled"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled"
              }
            ],
            "repeated": 0,
            "id": 503
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 504
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "ValueName",
                "value": "DefaultConsent"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
              }
            ],
            "repeated": 0,
            "id": 505
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "ValueName",
                "value": "DefaultConsent"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
              }
            ],
            "repeated": 0,
            "id": 506
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002c8"
              }
            ],
            "repeated": 0,
            "id": 507
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 508
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "ValueName",
                "value": "DefaultOverrideBehavior"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior"
              }
            ],
            "repeated": 0,
            "id": 509
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002c8"
              }
            ],
            "repeated": 0,
            "id": 510
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 511
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "ValueName",
                "value": "CLR20r3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\CLR20r3"
              }
            ],
            "repeated": 0,
            "id": 512
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002c8"
              }
            ],
            "repeated": 0,
            "id": 513
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LoggingDisabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled"
              }
            ],
            "repeated": 0,
            "id": 514
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontShowUI"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI"
              }
            ],
            "repeated": 0,
            "id": 515
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueuePesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval"
              }
            ],
            "repeated": 0,
            "id": 516
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "ExcludedApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications"
              }
            ],
            "repeated": 0,
            "id": 517
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "DebugApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications"
              }
            ],
            "repeated": 1,
            "id": 518
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassDataThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling"
              }
            ],
            "repeated": 0,
            "id": 519
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceUserModeCabCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection"
              }
            ],
            "repeated": 0,
            "id": 520
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "BrokerUp"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BrokerUp"
              }
            ],
            "repeated": 0,
            "id": 521
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "ValueName",
                "value": "CLR20r3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BrokerUp\\CLR20r3"
              }
            ],
            "repeated": 0,
            "id": 522
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002c8"
              }
            ],
            "repeated": 0,
            "id": 523
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassPowerThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling"
              }
            ],
            "repeated": 0,
            "id": 524
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassNetworkCostThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling"
              }
            ],
            "repeated": 0,
            "id": 525
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueueNoPesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval"
              }
            ],
            "repeated": 0,
            "id": 526
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AutoApproveOSDumps"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps"
              }
            ],
            "repeated": 0,
            "id": 527
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LiveReportFlushInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval"
              }
            ],
            "repeated": 0,
            "id": 528
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 529
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 530
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 531
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 532
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 533
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontSendAdditionalData"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData"
              }
            ],
            "repeated": 0,
            "id": 534
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 1,
            "id": 535
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LoggingDisabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled"
              }
            ],
            "repeated": 0,
            "id": 536
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontShowUI"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI"
              }
            ],
            "repeated": 0,
            "id": 537
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueuePesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval"
              }
            ],
            "repeated": 0,
            "id": 538
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "ExcludedApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications"
              }
            ],
            "repeated": 0,
            "id": 539
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "DebugApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications"
              }
            ],
            "repeated": 1,
            "id": 540
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassDataThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling"
              }
            ],
            "repeated": 0,
            "id": 541
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceUserModeCabCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection"
              }
            ],
            "repeated": 0,
            "id": 542
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "BrokerUp"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BrokerUp"
              }
            ],
            "repeated": 0,
            "id": 543
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassPowerThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling"
              }
            ],
            "repeated": 0,
            "id": 544
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassNetworkCostThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling"
              }
            ],
            "repeated": 0,
            "id": 545
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueueNoPesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval"
              }
            ],
            "repeated": 0,
            "id": 546
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AutoApproveOSDumps"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps"
              }
            ],
            "repeated": 0,
            "id": 547
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LiveReportFlushInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval"
              }
            ],
            "repeated": 0,
            "id": 548
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 549
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03cfd000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 550
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 551
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 552
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 553
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 554
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontSendAdditionalData"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData"
              }
            ],
            "repeated": 0,
            "id": 555
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 556
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "ValueName",
                "value": "DefaultOverrideBehavior"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior"
              }
            ],
            "repeated": 0,
            "id": 557
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002c8"
              }
            ],
            "repeated": 0,
            "id": 558
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 559
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "ValueName",
                "value": "CLR20r3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\CLR20r3"
              }
            ],
            "repeated": 0,
            "id": 560
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002c8"
              }
            ],
            "repeated": 0,
            "id": 561
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LoggingDisabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled"
              }
            ],
            "repeated": 0,
            "id": 562
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontShowUI"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI"
              }
            ],
            "repeated": 0,
            "id": 563
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueuePesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval"
              }
            ],
            "repeated": 0,
            "id": 564
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceQueue"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue"
              }
            ],
            "repeated": 0,
            "id": 565
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "MaxQueueCount"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount"
              }
            ],
            "repeated": 0,
            "id": 566
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "MaxArchiveCount"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount"
              }
            ],
            "repeated": 0,
            "id": 567
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ConfigureArchive"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive"
              }
            ],
            "repeated": 0,
            "id": 568
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DisableArchive"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive"
              }
            ],
            "repeated": 0,
            "id": 569
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "ExcludedApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications"
              }
            ],
            "repeated": 0,
            "id": 570
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "DebugApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications"
              }
            ],
            "repeated": 1,
            "id": 571
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerServer"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer"
              }
            ],
            "repeated": 0,
            "id": 572
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerUseSSL"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL"
              }
            ],
            "repeated": 0,
            "id": 573
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerPortNumber"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber"
              }
            ],
            "repeated": 0,
            "id": 574
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerUseAuthentication"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication"
              }
            ],
            "repeated": 0,
            "id": 575
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassDataThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling"
              }
            ],
            "repeated": 0,
            "id": 576
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceUserModeCabCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection"
              }
            ],
            "repeated": 0,
            "id": 577
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "BrokerUp"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BrokerUp"
              }
            ],
            "repeated": 0,
            "id": 578
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "ValueName",
                "value": "CLR20r3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BrokerUp\\CLR20r3"
              }
            ],
            "repeated": 0,
            "id": 579
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002c8"
              }
            ],
            "repeated": 0,
            "id": 580
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassPowerThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling"
              }
            ],
            "repeated": 0,
            "id": 581
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassNetworkCostThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling"
              }
            ],
            "repeated": 0,
            "id": 582
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueueNoPesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval"
              }
            ],
            "repeated": 0,
            "id": 583
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AutoApproveOSDumps"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps"
              }
            ],
            "repeated": 0,
            "id": 584
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "MinFreeDiskSpace"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace"
              }
            ],
            "repeated": 0,
            "id": 585
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LiveReportFlushInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval"
              }
            ],
            "repeated": 0,
            "id": 586
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CabArchiveFolder"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder"
              }
            ],
            "repeated": 0,
            "id": 587
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceHeapDump"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump"
              }
            ],
            "repeated": 0,
            "id": 588
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceMetadata"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata"
              }
            ],
            "repeated": 0,
            "id": 589
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "Source"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Source"
              }
            ],
            "repeated": 0,
            "id": 590
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "User"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\User"
              }
            ],
            "repeated": 0,
            "id": 591
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "StorePath"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\StorePath"
              }
            ],
            "repeated": 0,
            "id": 592
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceEtw"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw"
              }
            ],
            "repeated": 0,
            "id": 593
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerUploadOnFreeNetworksOnly"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly"
              }
            ],
            "repeated": 0,
            "id": 594
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "UploadOnFreeNetworksOnly"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly"
              }
            ],
            "repeated": 0,
            "id": 595
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CabArchiveSeparate"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate"
              }
            ],
            "repeated": 0,
            "id": 596
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CabArchiveCreate"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate"
              }
            ],
            "repeated": 0,
            "id": 597
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LocalCompression"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression"
              }
            ],
            "repeated": 0,
            "id": 598
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DisableWerUpload"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload"
              }
            ],
            "repeated": 0,
            "id": 599
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DisableEnterpriseAuthProxy"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy"
              }
            ],
            "repeated": 0,
            "id": 600
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ArchiveFolderCountLimit"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit"
              }
            ],
            "repeated": 0,
            "id": 601
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueueSizeMaxPercentFreeDisk"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk"
              }
            ],
            "repeated": 0,
            "id": 602
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "MinQueueSize"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize"
              }
            ],
            "repeated": 0,
            "id": 603
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "MaxRetriesForSasRenewal"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal"
              }
            ],
            "repeated": 0,
            "id": 604
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "NoHeapDumpOnQueue"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue"
              }
            ],
            "repeated": 0,
            "id": 605
          },
          {
            "timestamp": "2026-04-16 20:00:22,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DeferCabUpload"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload"
              }
            ],
            "repeated": 0,
            "id": 606
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 607
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 608
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 609
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 610
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 611
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 612
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 613
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 614
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 615
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 616
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 617
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 618
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 619
          },
          {
            "timestamp": "2026-04-16 20:00:22,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 620
          },
          {
            "timestamp": "2026-04-16 20:00:22,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 621
          },
          {
            "timestamp": "2026-04-16 20:00:22,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x702d0000"
              }
            ],
            "repeated": 0,
            "id": 622
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x702d0000"
              }
            ],
            "repeated": 0,
            "id": 623
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x702d0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x702e21f0"
              }
            ],
            "repeated": 0,
            "id": 624
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x702d0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x702e43f0"
              }
            ],
            "repeated": 0,
            "id": 625
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7034b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 626
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7034b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 627
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x760ed000"
              },
              {
                "name": "ModuleName",
                "value": "OLEAUT32.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 628
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x760ed000"
              },
              {
                "name": "ModuleName",
                "value": "OLEAUT32.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 629
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 630
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 631
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 632
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 633
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 634
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 635
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 636
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7034b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 637
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7034b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 638
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 639
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 640
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 641
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 642
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 643
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 644
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 645
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 646
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 647
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 648
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 649
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 650
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 651
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 652
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 653
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 654
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 655
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 656
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 657
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 658
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 659
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 660
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 661
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 662
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d0"
              }
            ],
            "repeated": 0,
            "id": 663
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 664
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 665
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x702d0000"
              }
            ],
            "repeated": 0,
            "id": 666
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 667
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 668
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 669
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x752a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 670
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 671
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 672
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x702d0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 673
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 674
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 675
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 676
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 677
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d0"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 678
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d0"
              }
            ],
            "repeated": 0,
            "id": 679
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 680
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 681
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 682
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 683
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 684
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d0"
              }
            ],
            "repeated": 0,
            "id": 685
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 686
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 687
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 688
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 689
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 690
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 691
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 692
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d0"
              }
            ],
            "repeated": 0,
            "id": 693
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 694
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 695
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 696
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 697
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d0"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 698
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d0"
              }
            ],
            "repeated": 0,
            "id": 699
          },
          {
            "timestamp": "2026-04-16 20:00:22,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 700
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 701
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 702
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x700c0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700d21f0"
              }
            ],
            "repeated": 0,
            "id": 703
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x700c0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700d43f0"
              }
            ],
            "repeated": 0,
            "id": 704
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 705
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 706
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 707
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 708
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 709
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 710
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 711
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 712
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 713
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 714
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 715
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 716
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 717
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 718
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 719
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 720
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 721
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 722
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 723
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 724
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 725
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 726
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 727
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 728
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 729
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 730
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 731
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 732
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 733
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 734
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 735
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 736
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 737
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 738
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 739
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d0"
              }
            ],
            "repeated": 0,
            "id": 740
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 741
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 742
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 743
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 744
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 745
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 746
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x752a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 747
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 748
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 749
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x700c0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 750
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 751
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 752
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 753
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 754
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d0"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 755
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d0"
              }
            ],
            "repeated": 0,
            "id": 756
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 757
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 758
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 759
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 760
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 761
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d0"
              }
            ],
            "repeated": 0,
            "id": 762
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 763
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 764
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 765
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 766
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 767
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 768
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 769
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d0"
              }
            ],
            "repeated": 0,
            "id": 770
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 771
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 772
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 773
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 774
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d0"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 775
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d0"
              }
            ],
            "repeated": 0,
            "id": 776
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 777
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 778
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 779
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x700c0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700d21f0"
              }
            ],
            "repeated": 0,
            "id": 780
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x700c0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700d43f0"
              }
            ],
            "repeated": 0,
            "id": 781
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 782
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 783
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 784
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 785
          },
          {
            "timestamp": "2026-04-16 20:00:22,799",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 786
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 787
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 788
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 789
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 790
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 791
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 792
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 793
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 794
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 795
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 796
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 797
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 798
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 799
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 800
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 801
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 802
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 803
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 804
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 805
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 806
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 807
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 808
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 809
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 810
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 811
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 812
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 813
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 814
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 815
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d0"
              }
            ],
            "repeated": 0,
            "id": 816
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002c8"
              }
            ],
            "repeated": 0,
            "id": 817
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 818
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 819
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 820
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 821
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 822
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 823
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x752a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 824
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 825
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 826
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x700c0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 827
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 828
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 829
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 830
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 831
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 832
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002c8"
              }
            ],
            "repeated": 0,
            "id": 833
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 834
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 835
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 836
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 837
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 838
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002c8"
              }
            ],
            "repeated": 0,
            "id": 839
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 840
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 841
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Policies\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 842
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 843
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 844
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "ValueName",
                "value": "MSFTInternal"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal"
              }
            ],
            "repeated": 0,
            "id": 845
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002c8"
              }
            ],
            "repeated": 0,
            "id": 846
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 847
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Policies\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 848
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 849
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 850
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002c8"
              },
              {
                "name": "ValueName",
                "value": "IsTest"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest"
              }
            ],
            "repeated": 0,
            "id": 851
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002c8"
              }
            ],
            "repeated": 0,
            "id": 852
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 853
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              }
            ],
            "repeated": 0,
            "id": 854
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 855
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002c8"
              }
            ],
            "repeated": 0,
            "id": 856
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d0"
              }
            ],
            "repeated": 0,
            "id": 857
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 858
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 859
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 860
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 1,
            "id": 861
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 862
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 863
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\CurrentControlSet\\Control\\MiniNT"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNT"
              }
            ],
            "repeated": 0,
            "id": 864
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 865
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 866
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 867
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 868
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "NewUserDefaultConsent"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\NewUserDefaultConsent"
              }
            ],
            "repeated": 0,
            "id": 869
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 870
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 871
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 872
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 873
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 874
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontSendAdditionalData"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData"
              }
            ],
            "repeated": 0,
            "id": 875
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "Disabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled"
              }
            ],
            "repeated": 0,
            "id": 876
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "Disabled"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled"
              }
            ],
            "repeated": 0,
            "id": 877
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 878
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "DefaultConsent"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
              }
            ],
            "repeated": 0,
            "id": 879
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "DefaultConsent"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
              }
            ],
            "repeated": 0,
            "id": 880
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 881
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 882
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "DefaultOverrideBehavior"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior"
              }
            ],
            "repeated": 0,
            "id": 883
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 884
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LoggingDisabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled"
              }
            ],
            "repeated": 0,
            "id": 885
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontShowUI"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI"
              }
            ],
            "repeated": 0,
            "id": 886
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueuePesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval"
              }
            ],
            "repeated": 0,
            "id": 887
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "DebugApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications"
              }
            ],
            "repeated": 0,
            "id": 888
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassDataThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling"
              }
            ],
            "repeated": 0,
            "id": 889
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceUserModeCabCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection"
              }
            ],
            "repeated": 0,
            "id": 890
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassPowerThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling"
              }
            ],
            "repeated": 0,
            "id": 891
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassNetworkCostThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling"
              }
            ],
            "repeated": 0,
            "id": 892
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueueNoPesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval"
              }
            ],
            "repeated": 0,
            "id": 893
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AutoApproveOSDumps"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps"
              }
            ],
            "repeated": 0,
            "id": 894
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LiveReportFlushInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval"
              }
            ],
            "repeated": 0,
            "id": 895
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 896
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 897
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 898
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 899
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 900
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontSendAdditionalData"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData"
              }
            ],
            "repeated": 0,
            "id": 901
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 902
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LoggingDisabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled"
              }
            ],
            "repeated": 0,
            "id": 903
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontShowUI"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI"
              }
            ],
            "repeated": 0,
            "id": 904
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueuePesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval"
              }
            ],
            "repeated": 0,
            "id": 905
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "DebugApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications"
              }
            ],
            "repeated": 0,
            "id": 906
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassDataThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling"
              }
            ],
            "repeated": 0,
            "id": 907
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceUserModeCabCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection"
              }
            ],
            "repeated": 0,
            "id": 908
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassPowerThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling"
              }
            ],
            "repeated": 0,
            "id": 909
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassNetworkCostThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling"
              }
            ],
            "repeated": 0,
            "id": 910
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueueNoPesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval"
              }
            ],
            "repeated": 0,
            "id": 911
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AutoApproveOSDumps"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps"
              }
            ],
            "repeated": 0,
            "id": 912
          },
          {
            "timestamp": "2026-04-16 20:00:22,814",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LiveReportFlushInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval"
              }
            ],
            "repeated": 0,
            "id": 913
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 914
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 915
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 916
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 917
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 918
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontSendAdditionalData"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData"
              }
            ],
            "repeated": 0,
            "id": 919
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 920
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002cc"
              },
              {
                "name": "ValueName",
                "value": "DefaultOverrideBehavior"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior"
              }
            ],
            "repeated": 0,
            "id": 921
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 922
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LoggingDisabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled"
              }
            ],
            "repeated": 0,
            "id": 923
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontShowUI"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI"
              }
            ],
            "repeated": 0,
            "id": 924
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueuePesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval"
              }
            ],
            "repeated": 0,
            "id": 925
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceQueue"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue"
              }
            ],
            "repeated": 0,
            "id": 926
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "MaxQueueCount"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount"
              }
            ],
            "repeated": 0,
            "id": 927
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "MaxArchiveCount"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount"
              }
            ],
            "repeated": 0,
            "id": 928
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ConfigureArchive"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive"
              }
            ],
            "repeated": 0,
            "id": 929
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DisableArchive"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive"
              }
            ],
            "repeated": 0,
            "id": 930
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "DebugApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications"
              }
            ],
            "repeated": 0,
            "id": 931
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerServer"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer"
              }
            ],
            "repeated": 0,
            "id": 932
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerUseSSL"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL"
              }
            ],
            "repeated": 0,
            "id": 933
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerPortNumber"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber"
              }
            ],
            "repeated": 0,
            "id": 934
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerUseAuthentication"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication"
              }
            ],
            "repeated": 0,
            "id": 935
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassDataThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling"
              }
            ],
            "repeated": 0,
            "id": 936
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceUserModeCabCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection"
              }
            ],
            "repeated": 0,
            "id": 937
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassPowerThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling"
              }
            ],
            "repeated": 0,
            "id": 938
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassNetworkCostThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling"
              }
            ],
            "repeated": 0,
            "id": 939
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueueNoPesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval"
              }
            ],
            "repeated": 0,
            "id": 940
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AutoApproveOSDumps"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps"
              }
            ],
            "repeated": 0,
            "id": 941
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "MinFreeDiskSpace"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace"
              }
            ],
            "repeated": 0,
            "id": 942
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LiveReportFlushInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval"
              }
            ],
            "repeated": 0,
            "id": 943
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CabArchiveFolder"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder"
              }
            ],
            "repeated": 0,
            "id": 944
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceHeapDump"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump"
              }
            ],
            "repeated": 0,
            "id": 945
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceMetadata"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata"
              }
            ],
            "repeated": 0,
            "id": 946
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "Source"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Source"
              }
            ],
            "repeated": 0,
            "id": 947
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "User"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\User"
              }
            ],
            "repeated": 0,
            "id": 948
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "StorePath"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\StorePath"
              }
            ],
            "repeated": 0,
            "id": 949
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceEtw"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw"
              }
            ],
            "repeated": 0,
            "id": 950
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerUploadOnFreeNetworksOnly"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly"
              }
            ],
            "repeated": 0,
            "id": 951
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "UploadOnFreeNetworksOnly"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly"
              }
            ],
            "repeated": 0,
            "id": 952
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CabArchiveSeparate"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate"
              }
            ],
            "repeated": 0,
            "id": 953
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CabArchiveCreate"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate"
              }
            ],
            "repeated": 0,
            "id": 954
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LocalCompression"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression"
              }
            ],
            "repeated": 0,
            "id": 955
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DisableWerUpload"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload"
              }
            ],
            "repeated": 0,
            "id": 956
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DisableEnterpriseAuthProxy"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy"
              }
            ],
            "repeated": 0,
            "id": 957
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ArchiveFolderCountLimit"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit"
              }
            ],
            "repeated": 0,
            "id": 958
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueueSizeMaxPercentFreeDisk"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk"
              }
            ],
            "repeated": 0,
            "id": 959
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "MinQueueSize"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize"
              }
            ],
            "repeated": 0,
            "id": 960
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "MaxRetriesForSasRenewal"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal"
              }
            ],
            "repeated": 0,
            "id": 961
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "NoHeapDumpOnQueue"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue"
              }
            ],
            "repeated": 0,
            "id": 962
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DeferCabUpload"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload"
              }
            ],
            "repeated": 0,
            "id": 963
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 964
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 965
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 966
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 967
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 968
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 969
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 970
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 971
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 972
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 973
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 974
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 975
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 976
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 977
          },
          {
            "timestamp": "2026-04-16 20:00:22,830",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 978
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 979
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 980
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x700c0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700d21f0"
              }
            ],
            "repeated": 0,
            "id": 981
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x700c0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700d43f0"
              }
            ],
            "repeated": 0,
            "id": 982
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 983
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 984
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 985
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 986
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 987
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 988
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 989
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 990
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 991
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 992
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 993
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 994
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 995
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 996
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 997
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 998
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 999
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 1000
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 1001
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 1002
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 1003
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 1004
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 1005
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1006
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1007
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1008
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 1009
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1010
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1011
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 1012
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1013
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1014
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 1015
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1016
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 1017
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1018
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1019
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 1020
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 1021
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 1022
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1023
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1024
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x752a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 1025
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1026
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1027
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x700c0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 1028
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1029
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 1030
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1031
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 1032
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 1033
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1034
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1035
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 1036
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1037
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1038
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 1039
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1040
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1041
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1042
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 1043
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1044
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1045
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1046
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 1047
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1048
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1049
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 1050
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1051
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 1052
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 1053
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1054
          },
          {
            "timestamp": "2026-04-16 20:00:22,846",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 1055
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 1056
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 1057
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x700c0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700d21f0"
              }
            ],
            "repeated": 0,
            "id": 1058
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x700c0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700d43f0"
              }
            ],
            "repeated": 0,
            "id": 1059
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1060
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1061
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1062
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 1063
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 1064
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 1065
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 1066
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 1067
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 1068
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1069
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1070
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 1071
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 1072
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 1073
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 1074
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 1075
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 1076
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 1077
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 1078
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 1079
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 1080
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 1081
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 1082
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1083
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1084
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1085
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 1086
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1087
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1088
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 1089
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1090
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1091
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 1092
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1093
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 1094
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1095
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1096
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 1097
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 1098
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 1099
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1100
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1101
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x752a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 1102
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1103
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1104
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x700c0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 1105
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1106
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 1107
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1108
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 1109
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 1110
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1111
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1112
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 1113
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1114
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1115
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 1116
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1117
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1118
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1119
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 1120
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1121
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1122
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1123
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 1124
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1125
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1126
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 1127
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1128
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 1129
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 1130
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1131
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 1132
          },
          {
            "timestamp": "2026-04-16 20:00:22,861",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 1133
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 1134
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x700c0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700d21f0"
              }
            ],
            "repeated": 0,
            "id": 1135
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x700c0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700d43f0"
              }
            ],
            "repeated": 0,
            "id": 1136
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1137
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1138
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1139
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 1140
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 1141
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 1142
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 1143
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 1144
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 1145
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1146
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1147
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 1148
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 1149
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 1150
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 1151
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 1152
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 1153
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 1154
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 1155
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 1156
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 1157
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 1158
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 1159
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1160
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1161
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1162
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 1163
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1164
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1165
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 1166
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1167
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1168
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 1169
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1170
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d8"
              }
            ],
            "repeated": 0,
            "id": 1171
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1172
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1173
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 1174
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 1175
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 1176
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1177
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1178
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x752a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 1179
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1180
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1181
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x700c0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 1182
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1183
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 1184
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1185
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 1186
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 1187
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1188
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1189
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 1190
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1191
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1192
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 1193
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1194
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1195
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1196
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Policies\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 1197
          },
          {
            "timestamp": "2026-04-16 20:00:22,877",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1198
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 1199
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "MSFTInternal"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal"
              }
            ],
            "repeated": 0,
            "id": 1200
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1201
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1202
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Policies\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 1203
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1204
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 1205
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "IsTest"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest"
              }
            ],
            "repeated": 0,
            "id": 1206
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1207
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1208
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002b8"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00"
              }
            ],
            "repeated": 0,
            "id": 1209
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1210
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d8"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1211
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d8"
              }
            ],
            "repeated": 0,
            "id": 1212
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002b8"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00"
              }
            ],
            "repeated": 0,
            "id": 1213
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x04140000"
              },
              {
                "name": "RegionSize",
                "value": "0x00100000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1214
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x04140000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1215
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1216
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1217
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              }
            ],
            "repeated": 0,
            "id": 1218
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              }
            ],
            "repeated": 0,
            "id": 1219
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue"
              }
            ],
            "repeated": 0,
            "id": 1220
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1221
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002b8"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00"
              }
            ],
            "repeated": 0,
            "id": 1222
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1223
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d8"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1224
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d8"
              }
            ],
            "repeated": 0,
            "id": 1225
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002b8"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00"
              }
            ],
            "repeated": 0,
            "id": 1226
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1227
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              }
            ],
            "repeated": 0,
            "id": 1228
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00160080",
                "pretty_value": "FILE_READ_ATTRIBUTES|READ_CONTROL|WRITE_DAC|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1229
          },
          {
            "timestamp": "2026-04-16 20:00:22,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002b8"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "N\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00"
              }
            ],
            "repeated": 0,
            "id": 1230
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1231
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d8"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1232
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d8"
              }
            ],
            "repeated": 0,
            "id": 1233
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002b8"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "N\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00"
              }
            ],
            "repeated": 0,
            "id": 1234
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1235
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              }
            ],
            "repeated": 0,
            "id": 1236
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c73e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 1237
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 1238
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c78a0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 1239
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 1240
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c78a0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 1241
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 1242
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1243
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1244
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0xc0100080",
                "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1245
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002b8"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "N\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00"
              }
            ],
            "repeated": 0,
            "id": 1246
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1247
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002cc"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1248
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 1249
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002b8"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "N\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00"
              }
            ],
            "repeated": 0,
            "id": 1250
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1251
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              }
            ],
            "repeated": 0,
            "id": 1252
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c73e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 1253
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 1254
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c76e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 1255
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 1256
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c76e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 1257
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 1258
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1259
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1260
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1261
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0xc0010000",
                "pretty_value": "GENERIC_READ|GENERIC_WRITE|DELETE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\acd29d50-6f1f-474a-a042-5278ee2cd631"
              },
              {
                "name": "CreateDisposition",
                "value": "2",
                "pretty_value": "FILE_CREATE"
              },
              {
                "name": "ShareAccess",
                "value": "0"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1262
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1263
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0xc0100080",
                "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1264
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "DeviceIoControl",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DeviceHandle",
                "value": "0x000002b8"
              },
              {
                "name": "IoControlCode",
                "value": "0x0009c040"
              },
              {
                "name": "InBuffer",
                "value": "\\x01\\x00"
              },
              {
                "name": "OutBuffer",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 1265
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1266
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1267
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 1268
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1269
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 1270
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "NewUserDefaultConsent"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\NewUserDefaultConsent"
              }
            ],
            "repeated": 0,
            "id": 1271
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1272
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1273
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 1274
          },
          {
            "timestamp": "2026-04-16 20:00:22,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1275
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 1276
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontSendAdditionalData"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData"
              }
            ],
            "repeated": 0,
            "id": 1277
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "Disabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled"
              }
            ],
            "repeated": 0,
            "id": 1278
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "Disabled"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled"
              }
            ],
            "repeated": 0,
            "id": 1279
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 1280
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "DefaultConsent"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
              }
            ],
            "repeated": 0,
            "id": 1281
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "DefaultConsent"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
              }
            ],
            "repeated": 0,
            "id": 1282
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1283
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 1284
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "DefaultOverrideBehavior"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior"
              }
            ],
            "repeated": 0,
            "id": 1285
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1286
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LoggingDisabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled"
              }
            ],
            "repeated": 0,
            "id": 1287
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontShowUI"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI"
              }
            ],
            "repeated": 0,
            "id": 1288
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueuePesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval"
              }
            ],
            "repeated": 0,
            "id": 1289
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "DebugApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications"
              }
            ],
            "repeated": 0,
            "id": 1290
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassDataThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling"
              }
            ],
            "repeated": 0,
            "id": 1291
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceUserModeCabCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection"
              }
            ],
            "repeated": 0,
            "id": 1292
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassPowerThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling"
              }
            ],
            "repeated": 0,
            "id": 1293
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassNetworkCostThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling"
              }
            ],
            "repeated": 0,
            "id": 1294
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueueNoPesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval"
              }
            ],
            "repeated": 0,
            "id": 1295
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AutoApproveOSDumps"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps"
              }
            ],
            "repeated": 0,
            "id": 1296
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LiveReportFlushInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval"
              }
            ],
            "repeated": 0,
            "id": 1297
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1298
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1299
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 1300
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1301
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 1302
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontSendAdditionalData"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData"
              }
            ],
            "repeated": 0,
            "id": 1303
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 1304
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LoggingDisabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled"
              }
            ],
            "repeated": 0,
            "id": 1305
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontShowUI"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI"
              }
            ],
            "repeated": 0,
            "id": 1306
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueuePesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval"
              }
            ],
            "repeated": 0,
            "id": 1307
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "DebugApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications"
              }
            ],
            "repeated": 0,
            "id": 1308
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassDataThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling"
              }
            ],
            "repeated": 0,
            "id": 1309
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceUserModeCabCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection"
              }
            ],
            "repeated": 0,
            "id": 1310
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassPowerThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling"
              }
            ],
            "repeated": 0,
            "id": 1311
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassNetworkCostThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling"
              }
            ],
            "repeated": 0,
            "id": 1312
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueueNoPesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval"
              }
            ],
            "repeated": 0,
            "id": 1313
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AutoApproveOSDumps"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps"
              }
            ],
            "repeated": 0,
            "id": 1314
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LiveReportFlushInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval"
              }
            ],
            "repeated": 0,
            "id": 1315
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1316
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x04142000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1317
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1318
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 1319
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1320
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 1321
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontSendAdditionalData"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData"
              }
            ],
            "repeated": 0,
            "id": 1322
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 1323
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "DefaultOverrideBehavior"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior"
              }
            ],
            "repeated": 0,
            "id": 1324
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1325
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LoggingDisabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled"
              }
            ],
            "repeated": 0,
            "id": 1326
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DontShowUI"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI"
              }
            ],
            "repeated": 0,
            "id": 1327
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueuePesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval"
              }
            ],
            "repeated": 0,
            "id": 1328
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceQueue"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue"
              }
            ],
            "repeated": 0,
            "id": 1329
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "MaxQueueCount"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount"
              }
            ],
            "repeated": 0,
            "id": 1330
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "MaxArchiveCount"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount"
              }
            ],
            "repeated": 0,
            "id": 1331
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ConfigureArchive"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive"
              }
            ],
            "repeated": 0,
            "id": 1332
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DisableArchive"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive"
              }
            ],
            "repeated": 0,
            "id": 1333
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "DebugApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications"
              }
            ],
            "repeated": 0,
            "id": 1334
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerServer"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer"
              }
            ],
            "repeated": 0,
            "id": 1335
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerUseSSL"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL"
              }
            ],
            "repeated": 0,
            "id": 1336
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerPortNumber"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber"
              }
            ],
            "repeated": 0,
            "id": 1337
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerUseAuthentication"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication"
              }
            ],
            "repeated": 0,
            "id": 1338
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassDataThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling"
              }
            ],
            "repeated": 0,
            "id": 1339
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceUserModeCabCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection"
              }
            ],
            "repeated": 0,
            "id": 1340
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassPowerThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling"
              }
            ],
            "repeated": 0,
            "id": 1341
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "BypassNetworkCostThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling"
              }
            ],
            "repeated": 0,
            "id": 1342
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueueNoPesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval"
              }
            ],
            "repeated": 0,
            "id": 1343
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AutoApproveOSDumps"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps"
              }
            ],
            "repeated": 0,
            "id": 1344
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "MinFreeDiskSpace"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace"
              }
            ],
            "repeated": 0,
            "id": 1345
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LiveReportFlushInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval"
              }
            ],
            "repeated": 0,
            "id": 1346
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CabArchiveFolder"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder"
              }
            ],
            "repeated": 0,
            "id": 1347
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceHeapDump"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump"
              }
            ],
            "repeated": 0,
            "id": 1348
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceMetadata"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata"
              }
            ],
            "repeated": 0,
            "id": 1349
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "Source"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Source"
              }
            ],
            "repeated": 0,
            "id": 1350
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "User"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\User"
              }
            ],
            "repeated": 0,
            "id": 1351
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "StorePath"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\StorePath"
              }
            ],
            "repeated": 0,
            "id": 1352
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ForceEtw"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw"
              }
            ],
            "repeated": 0,
            "id": 1353
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerUploadOnFreeNetworksOnly"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly"
              }
            ],
            "repeated": 0,
            "id": 1354
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "UploadOnFreeNetworksOnly"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly"
              }
            ],
            "repeated": 0,
            "id": 1355
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CabArchiveSeparate"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate"
              }
            ],
            "repeated": 0,
            "id": 1356
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "CabArchiveCreate"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate"
              }
            ],
            "repeated": 0,
            "id": 1357
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "LocalCompression"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression"
              }
            ],
            "repeated": 0,
            "id": 1358
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DisableWerUpload"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload"
              }
            ],
            "repeated": 0,
            "id": 1359
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DisableEnterpriseAuthProxy"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy"
              }
            ],
            "repeated": 0,
            "id": 1360
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "ArchiveFolderCountLimit"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit"
              }
            ],
            "repeated": 0,
            "id": 1361
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "QueueSizeMaxPercentFreeDisk"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk"
              }
            ],
            "repeated": 0,
            "id": 1362
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "MinQueueSize"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize"
              }
            ],
            "repeated": 0,
            "id": 1363
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "MaxRetriesForSasRenewal"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal"
              }
            ],
            "repeated": 0,
            "id": 1364
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "NoHeapDumpOnQueue"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue"
              }
            ],
            "repeated": 0,
            "id": 1365
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "DeferCabUpload"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload"
              }
            ],
            "repeated": 0,
            "id": 1366
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1367
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1368
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 1369
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1370
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1371
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1372
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 1373
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1374
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1375
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 1376
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1377
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 1378
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 1379
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1380
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 1381
          },
          {
            "timestamp": "2026-04-16 20:00:22,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 1382
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 1383
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x700c0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700d21f0"
              }
            ],
            "repeated": 0,
            "id": 1384
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x700c0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700d43f0"
              }
            ],
            "repeated": 0,
            "id": 1385
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1386
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1387
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1388
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 1389
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 1390
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 1391
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 1392
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 1393
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 1394
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1395
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1396
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 1397
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 1398
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 1399
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 1400
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 1401
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 1402
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 1403
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 1404
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 1405
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 1406
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 1407
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 1408
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1409
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1410
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1411
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 1412
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1413
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1414
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 1415
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1416
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1417
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002dc"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 1418
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1419
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d8"
              }
            ],
            "repeated": 0,
            "id": 1420
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1421
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1422
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 1423
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 1424
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 1425
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1426
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1427
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x752a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 1428
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1429
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1430
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x700c0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 1431
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1432
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 1433
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1434
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 1435
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 1436
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1437
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1438
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 1439
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1440
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1441
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 1442
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1443
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1444
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1445
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 1446
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1447
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1448
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1449
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 1450
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1451
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1452
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 1453
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1454
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 1455
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002b8"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 1456
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1457
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 1458
          },
          {
            "timestamp": "2026-04-16 20:00:22,939",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 1459
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 1460
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x700c0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700d21f0"
              }
            ],
            "repeated": 0,
            "id": 1461
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x700c0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700d43f0"
              }
            ],
            "repeated": 0,
            "id": 1462
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1463
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1464
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1465
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 1466
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 1467
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 1468
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 1469
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 1470
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 1471
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1472
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1473
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 1474
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 1475
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 1476
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 1477
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 1478
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 1479
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 1480
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 1481
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 1482
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 1483
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 1484
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 1485
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d8"
              }
            ],
            "repeated": 0,
            "id": 1486
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1487
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1488
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 1489
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d8"
              }
            ],
            "repeated": 0,
            "id": 1490
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1491
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 1492
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1493
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1494
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 1495
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d8"
              }
            ],
            "repeated": 0,
            "id": 1496
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 1497
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1498
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1499
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 1500
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 1501
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 1502
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1503
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1504
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x752a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 1505
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1506
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1507
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x700c0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 1508
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1509
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 1510
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1511
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 1512
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 1513
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1514
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1515
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 1516
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1517
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1518
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 1519
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1520
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1521
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1522
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 1523
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1524
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1525
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1526
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 1527
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1528
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1529
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 1530
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1531
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 1532
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 1533
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1534
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 1535
          },
          {
            "timestamp": "2026-04-16 20:00:22,955",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 1536
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 1537
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x700c0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700d21f0"
              }
            ],
            "repeated": 0,
            "id": 1538
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x700c0000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700d43f0"
              }
            ],
            "repeated": 0,
            "id": 1539
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1540
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1541
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1542
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 1543
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 1544
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 1545
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 1546
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 1547
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 1548
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1549
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7013b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1550
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 1551
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 1552
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 1553
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 1554
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 1555
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 1556
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 1557
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 1558
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 1559
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 1560
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 1561
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 1562
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 1563
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1564
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1565
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 1566
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 1567
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1568
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 1569
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1570
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1571
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 1572
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 1573
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1574
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1575
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1576
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 1577
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x700c0000"
              }
            ],
            "repeated": 0,
            "id": 1578
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 1579
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1580
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1581
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x752a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 1582
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1583
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1584
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x700c0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 1585
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1586
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 1587
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1588
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 1589
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 1590
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1591
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 1592
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 1593
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1594
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 1595
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 1596
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1597
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 1598
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1599
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Policies\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 1600
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1601
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 1602
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "MSFTInternal"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal"
              }
            ],
            "repeated": 0,
            "id": 1603
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1604
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1605
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Policies\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 1606
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1607
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 1608
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002d4"
              },
              {
                "name": "ValueName",
                "value": "IsTest"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest"
              }
            ],
            "repeated": 0,
            "id": 1609
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1610
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1611
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00"
              }
            ],
            "repeated": 0,
            "id": 1612
          },
          {
            "timestamp": "2026-04-16 20:00:22,971",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1613
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1614
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1615
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00"
              }
            ],
            "repeated": 0,
            "id": 1616
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1617
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1618
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              }
            ],
            "repeated": 0,
            "id": 1619
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              }
            ],
            "repeated": 0,
            "id": 1620
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive"
              }
            ],
            "repeated": 0,
            "id": 1621
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1622
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00"
              }
            ],
            "repeated": 0,
            "id": 1623
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1624
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1625
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1626
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00"
              }
            ],
            "repeated": 0,
            "id": 1627
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1628
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              }
            ],
            "repeated": 0,
            "id": 1629
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00160080",
                "pretty_value": "FILE_READ_ATTRIBUTES|READ_CONTROL|WRITE_DAC|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1630
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "N\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00"
              }
            ],
            "repeated": 0,
            "id": 1631
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1632
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1633
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1634
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "N\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00"
              }
            ],
            "repeated": 0,
            "id": 1635
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1636
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              }
            ],
            "repeated": 0,
            "id": 1637
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c77e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 1638
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1639
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c76e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 1640
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1641
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c77e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 1642
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1643
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1644
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1645
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0xc0100080",
                "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1646
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "N\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00"
              }
            ],
            "repeated": 0,
            "id": 1647
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1648
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1649
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1650
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "N\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00"
              }
            ],
            "repeated": 0,
            "id": 1651
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1652
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              }
            ],
            "repeated": 0,
            "id": 1653
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c73e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 1654
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1655
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c7220",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 1656
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1657
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c76e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 1658
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1659
          },
          {
            "timestamp": "2026-04-16 20:00:22,986",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1660
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "DesiredAccess",
                "value": "0xc0010000",
                "pretty_value": "GENERIC_READ|GENERIC_WRITE|DELETE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\3ce30f3c-ebfc-46de-8063-7e0038df70e1"
              },
              {
                "name": "CreateDisposition",
                "value": "2",
                "pretty_value": "FILE_CREATE"
              },
              {
                "name": "ShareAccess",
                "value": "0"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1661
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1662
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0xc0100080",
                "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1663
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "DeviceIoControl",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "DeviceHandle",
                "value": "0x000002d4"
              },
              {
                "name": "IoControlCode",
                "value": "0x0009c040"
              },
              {
                "name": "InBuffer",
                "value": "\\x01\\x00"
              },
              {
                "name": "OutBuffer",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 1664
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1665
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1666
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1667
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\CurrentControlSet\\Control\\MiniNT"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNT"
              }
            ],
            "repeated": 0,
            "id": 1668
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1669
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00"
              }
            ],
            "repeated": 0,
            "id": 1670
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1671
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1672
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1673
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00"
              }
            ],
            "repeated": 0,
            "id": 1674
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1675
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "DesiredAccess",
                "value": "0xc0100080",
                "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1676
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "`\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00R\\x00e\\x00p\\x00o\\x00r\\x00t\\x00A\\x00r\\x00c\\x00h\\x00i\\x00v\\x00e\\x00"
              }
            ],
            "repeated": 0,
            "id": 1677
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1678
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1679
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1680
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "`\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00R\\x00e\\x00p\\x00o\\x00r\\x00t\\x00A\\x00r\\x00c\\x00h\\x00i\\x00v\\x00e\\x00"
              }
            ],
            "repeated": 0,
            "id": 1681
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1682
          },
          {
            "timestamp": "2026-04-16 20:00:23,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive"
              }
            ],
            "repeated": 0,
            "id": 1683
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c76e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 1684
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1685
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c73e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 1686
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 1687
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1688
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002d4"
              },
              {
                "name": "DesiredAccess",
                "value": "0xc0010000",
                "pretty_value": "GENERIC_READ|GENERIC_WRITE|DELETE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\94192d6b-e709-417d-93f9-f5879b5af313"
              },
              {
                "name": "CreateDisposition",
                "value": "2",
                "pretty_value": "FILE_CREATE"
              },
              {
                "name": "ShareAccess",
                "value": "0"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1689
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1690
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1691
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00"
              }
            ],
            "repeated": 0,
            "id": 1692
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1693
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002e0"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1694
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 1695
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00"
              }
            ],
            "repeated": 0,
            "id": 1696
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1697
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "DesiredAccess",
                "value": "0xc0100080",
                "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1698
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00R\\x00e\\x00p\\x00o\\x00r\\x00t\\x00Q\\x00u\\x00e\\x00u\\x00e\\x00"
              }
            ],
            "repeated": 0,
            "id": 1699
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1700
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002e0"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1701
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 1702
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002dc"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00R\\x00e\\x00p\\x00o\\x00r\\x00t\\x00Q\\x00u\\x00e\\x00u\\x00e\\x00"
              }
            ],
            "repeated": 0,
            "id": 1703
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1704
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue"
              }
            ],
            "repeated": 0,
            "id": 1705
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c73e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 1706
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 1707
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c76e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 1708
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 1709
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1710
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0xc0010000",
                "pretty_value": "GENERIC_READ|GENERIC_WRITE|DELETE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\4225bbd8-56a8-4c70-a672-42afd4aae78e"
              },
              {
                "name": "CreateDisposition",
                "value": "2",
                "pretty_value": "FILE_CREATE"
              },
              {
                "name": "ShareAccess",
                "value": "0"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1711
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 1712
          },
          {
            "timestamp": "2026-04-16 20:00:23,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 1713
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000244"
              },
              {
                "name": "Milliseconds",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 1714
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 1715
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e4"
              }
            ],
            "repeated": 1,
            "id": 1716
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 1,
            "id": 1717
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e4"
              }
            ],
            "repeated": 0,
            "id": 1718
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1719
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug"
              }
            ],
            "repeated": 0,
            "id": 1720
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x039f0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 1721
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e230"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x00\\x00<\\x08"
              }
            ],
            "repeated": 0,
            "id": 1722
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x083c0000"
              },
              {
                "name": "Size",
                "value": "0x00000968"
              },
              {
                "name": "Buffer",
                "value": "h\t\\x00\\x00P\\x00E\\x00B\\x00_\\x00S\\x00I\\x00G\\x00N\\x00A\\x00T\\x00U\\x00R\\x00E\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1723
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x039f0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 1724
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e230"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x00\\x00<\\x08"
              }
            ],
            "repeated": 0,
            "id": 1725
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x083c0000"
              },
              {
                "name": "Size",
                "value": "0x00000968"
              },
              {
                "name": "Buffer",
                "value": "h\t\\x00\\x00P\\x00E\\x00B\\x00_\\x00S\\x00I\\x00G\\x00N\\x00A\\x00T\\x00U\\x00R\\x00E\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1726
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 1727
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1728
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 1729
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e4"
              },
              {
                "name": "ValueName",
                "value": "RestartRunTime"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime"
              }
            ],
            "repeated": 0,
            "id": 1730
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e4"
              }
            ],
            "repeated": 0,
            "id": 1731
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 1732
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 1733
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e4"
              },
              {
                "name": "ValueName",
                "value": "RestartRunTime"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime"
              }
            ],
            "repeated": 0,
            "id": 1734
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e4"
              }
            ],
            "repeated": 0,
            "id": 1735
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e230"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x00\\x00<\\x08"
              }
            ],
            "repeated": 0,
            "id": 1736
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x083c0000"
              },
              {
                "name": "Size",
                "value": "0x00000968"
              },
              {
                "name": "Buffer",
                "value": "h\t\\x00\\x00P\\x00E\\x00B\\x00_\\x00S\\x00I\\x00G\\x00N\\x00A\\x00T\\x00U\\x00R\\x00E\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1737
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e234"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1738
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "CreateToolhelp32Snapshot",
            "status": true,
            "return": "0x000002e0",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000008",
                "pretty_value": "TH32CS_SNAPMODULE"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1739
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32FirstW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "NanoCore.exe"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1740
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1741
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1742
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1743
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a1d88"
              },
              {
                "name": "Size",
                "value": "0x0000005c"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00c\\x00a\\x00p\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00N\\x00a\\x00n\\x00o\\x00C\\x00o\\x00r\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1744
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1745
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1746
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1747
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1748
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1749
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2c98"
              },
              {
                "name": "Size",
                "value": "0x0000003c"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00Y\\x00S\\x00T\\x00E\\x00M\\x003\\x002\\x00\\\\x00n\\x00t\\x00d\\x00l\\x00l\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1750
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCOREE.DLL"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1751
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1752
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1753
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1754
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1755
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00tY-\\x010\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1756
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3320"
              },
              {
                "name": "Size",
                "value": "0x00000040"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00Y\\x00S\\x00T\\x00E\\x00M\\x003\\x002\\x00\\\\x00M\\x00S\\x00C\\x00O\\x00R\\x00E\\x00E\\x00.\\x00D\\x00L\\x00L\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1757
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1758
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1759
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1760
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1761
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1762
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00tY-\\x010\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1763
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1764
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3508"
              },
              {
                "name": "Size",
                "value": "0x00000042"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00K\\x00E\\x00R\\x00N\\x00E\\x00L\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1765
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNELBASE.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1766
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1767
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1768
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1769
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1770
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00tY-\\x010\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1771
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1772
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00dA-\\x01\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1773
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3878"
              },
              {
                "name": "Size",
                "value": "0x00000046"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00K\\x00E\\x00R\\x00N\\x00E\\x00L\\x00B\\x00A\\x00S\\x00E\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1774
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "apphelp.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1775
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1776
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1777
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1778
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1779
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00tY-\\x010\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1780
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1781
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00dA-\\x01\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1782
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1783
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4440"
              },
              {
                "name": "Size",
                "value": "0x00000040"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00Y\\x00S\\x00T\\x00E\\x00M\\x003\\x002\\x00\\\\x00a\\x00p\\x00p\\x00h\\x00e\\x00l\\x00p\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1784
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "CRYPT32.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1785
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1786
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1787
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1788
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1789
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00tY-\\x010\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1790
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1791
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00dA-\\x01\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1792
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1793
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1794
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012ae6b0"
              },
              {
                "name": "Size",
                "value": "0x00000040"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00C\\x00R\\x00Y\\x00P\\x00T\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1795
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ucrtbase.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1796
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1797
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1798
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1799
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1800
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00tY-\\x010\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1801
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1802
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00dA-\\x01\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1803
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1804
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1805
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1806
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af048"
              },
              {
                "name": "Size",
                "value": "0x00000042"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00u\\x00c\\x00r\\x00t\\x00b\\x00a\\x00s\\x00e\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1807
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WS2_32.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1808
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1809
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1810
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1811
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1812
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00tY-\\x010\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1813
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1814
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00dA-\\x01\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1815
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1816
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1817
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1818
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1819
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af298"
              },
              {
                "name": "Size",
                "value": "0x0000003e"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00W\\x00S\\x002\\x00_\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1820
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "RPCRT4.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1821
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1822
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1823
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1824
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1825
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00tY-\\x010\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1826
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1827
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00dA-\\x01\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1828
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1829
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1830
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1831
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1832
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af650"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " \\xf9*\\x01\\xb0\\xf1*\\x01(\\xf9*\\x01\\xb8\\xf1*\\x01\\xc0\\xf1*\\x01`\\xed*\\x01\\x00\\x00\\x90v0\\xbf\\x93v\\x00\\xe0\\x0b\\x00<\\x00>\\x008\\xf7*\\x01\\x14\\x00\\x16\\x00`\\xf7*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x98[\\xf6w\\x8c\\xed*\\x01\\xb6\\xa0\\xb4\\x11"
              }
            ],
            "repeated": 0,
            "id": 1833
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af738"
              },
              {
                "name": "Size",
                "value": "0x0000003e"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00R\\x00P\\x00C\\x00R\\x00T\\x004\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1834
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "USER32.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1835
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1836
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1837
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1838
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1839
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00tY-\\x010\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1840
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1841
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00dA-\\x01\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1842
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1843
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1844
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1845
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1846
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af650"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " \\xf9*\\x01\\xb0\\xf1*\\x01(\\xf9*\\x01\\xb8\\xf1*\\x01\\xc0\\xf1*\\x01`\\xed*\\x01\\x00\\x00\\x90v0\\xbf\\x93v\\x00\\xe0\\x0b\\x00<\\x00>\\x008\\xf7*\\x01\\x14\\x00\\x16\\x00`\\xf7*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x98[\\xf6w\\x8c\\xed*\\x01\\xb6\\xa0\\xb4\\x11"
              }
            ],
            "repeated": 0,
            "id": 1847
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af920"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "8\\x02+\\x01P\\xf6*\\x01@\\x02+\\x01X\\xf6*\\x01\\x98\\x01+\\x01\\xe8\\x00+\\x01\\x00\\x00\\xd1u\\x90\\xc9\\xd4u\\x00\\xb0\\x19\\x00<\\x00>\\x00H\\xfc*\\x01\\x14\\x00\\x16\\x00p\\xfc*\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\xc4B-\\x01\\x80[\\xf6w-\\xec\\xfb?"
              }
            ],
            "repeated": 0,
            "id": 1848
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012afc48"
              },
              {
                "name": "Size",
                "value": "0x0000003e"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00U\\x00S\\x00E\\x00R\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1849
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "win32u.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1850
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1851
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1852
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1853
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1854
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00tY-\\x010\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1855
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1856
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00dA-\\x01\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1857
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1858
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1859
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1860
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1861
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af650"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " \\xf9*\\x01\\xb0\\xf1*\\x01(\\xf9*\\x01\\xb8\\xf1*\\x01\\xc0\\xf1*\\x01`\\xed*\\x01\\x00\\x00\\x90v0\\xbf\\x93v\\x00\\xe0\\x0b\\x00<\\x00>\\x008\\xf7*\\x01\\x14\\x00\\x16\\x00`\\xf7*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x98[\\xf6w\\x8c\\xed*\\x01\\xb6\\xa0\\xb4\\x11"
              }
            ],
            "repeated": 0,
            "id": 1862
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af920"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "8\\x02+\\x01P\\xf6*\\x01@\\x02+\\x01X\\xf6*\\x01\\x98\\x01+\\x01\\xe8\\x00+\\x01\\x00\\x00\\xd1u\\x90\\xc9\\xd4u\\x00\\xb0\\x19\\x00<\\x00>\\x00H\\xfc*\\x01\\x14\\x00\\x16\\x00p\\xfc*\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\xc4B-\\x01\\x80[\\xf6w-\\xec\\xfb?"
              }
            ],
            "repeated": 0,
            "id": 1863
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8\\x00+\\x01 \\xf9*\\x01\\xe0\\x00+\\x01(\\xf9*\\x01\\xd8\\xfe*\\x01\\xc0\\xf1*\\x01\\x00\\x00Lw\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00<\\x00>\\x00x\r+\\x01\\x14\\x00\\x16\\x00\\xa0\r+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14\\x0c+\\x01\\x00\\\\xf6wh\\x97\\xcfU"
              }
            ],
            "repeated": 0,
            "id": 1864
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0d78"
              },
              {
                "name": "Size",
                "value": "0x0000003e"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00w\\x00i\\x00n\\x003\\x002\\x00u\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1865
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "GDI32.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1866
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1867
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1868
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1869
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1870
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00tY-\\x010\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1871
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1872
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00dA-\\x01\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1873
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1874
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1875
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1876
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1877
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af650"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " \\xf9*\\x01\\xb0\\xf1*\\x01(\\xf9*\\x01\\xb8\\xf1*\\x01\\xc0\\xf1*\\x01`\\xed*\\x01\\x00\\x00\\x90v0\\xbf\\x93v\\x00\\xe0\\x0b\\x00<\\x00>\\x008\\xf7*\\x01\\x14\\x00\\x16\\x00`\\xf7*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x98[\\xf6w\\x8c\\xed*\\x01\\xb6\\xa0\\xb4\\x11"
              }
            ],
            "repeated": 0,
            "id": 1878
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af920"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "8\\x02+\\x01P\\xf6*\\x01@\\x02+\\x01X\\xf6*\\x01\\x98\\x01+\\x01\\xe8\\x00+\\x01\\x00\\x00\\xd1u\\x90\\xc9\\xd4u\\x00\\xb0\\x19\\x00<\\x00>\\x00H\\xfc*\\x01\\x14\\x00\\x16\\x00p\\xfc*\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\xc4B-\\x01\\x80[\\xf6w-\\xec\\xfb?"
              }
            ],
            "repeated": 0,
            "id": 1879
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8\\x00+\\x01 \\xf9*\\x01\\xe0\\x00+\\x01(\\xf9*\\x01\\xd8\\xfe*\\x01\\xc0\\xf1*\\x01\\x00\\x00Lw\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00<\\x00>\\x00x\r+\\x01\\x14\\x00\\x16\\x00\\xa0\r+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14\\x0c+\\x01\\x00\\\\xf6wh\\x97\\xcfU"
              }
            ],
            "repeated": 0,
            "id": 1880
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b00d8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8\\x0b+\\x018\\x02+\\x01\\xe0\\x0b+\\x01@\\x02+\\x010\\xf9*\\x01\\xe8\\x0b+\\x01\\x00\\x00\\xa8vps\\xa8v\\x000\\x02\\x00:\\x00<\\x00\\x98\\x0e+\\x01\\x12\\x00\\x14\\x00\\xc0\\x0e+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x004Q-\\x01\\x88[\\xf6w\\xd1\t\\xb0*"
              }
            ],
            "repeated": 0,
            "id": 1881
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0e98"
              },
              {
                "name": "Size",
                "value": "0x0000003c"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00G\\x00D\\x00I\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1882
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdi32full.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1883
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1884
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1885
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1886
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1887
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00tY-\\x010\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1888
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1889
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00dA-\\x01\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1890
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1891
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1892
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1893
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1894
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af650"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " \\xf9*\\x01\\xb0\\xf1*\\x01(\\xf9*\\x01\\xb8\\xf1*\\x01\\xc0\\xf1*\\x01`\\xed*\\x01\\x00\\x00\\x90v0\\xbf\\x93v\\x00\\xe0\\x0b\\x00<\\x00>\\x008\\xf7*\\x01\\x14\\x00\\x16\\x00`\\xf7*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x98[\\xf6w\\x8c\\xed*\\x01\\xb6\\xa0\\xb4\\x11"
              }
            ],
            "repeated": 0,
            "id": 1895
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af920"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "8\\x02+\\x01P\\xf6*\\x01@\\x02+\\x01X\\xf6*\\x01\\x98\\x01+\\x01\\xe8\\x00+\\x01\\x00\\x00\\xd1u\\x90\\xc9\\xd4u\\x00\\xb0\\x19\\x00<\\x00>\\x00H\\xfc*\\x01\\x14\\x00\\x16\\x00p\\xfc*\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\xc4B-\\x01\\x80[\\xf6w-\\xec\\xfb?"
              }
            ],
            "repeated": 0,
            "id": 1896
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8\\x00+\\x01 \\xf9*\\x01\\xe0\\x00+\\x01(\\xf9*\\x01\\xd8\\xfe*\\x01\\xc0\\xf1*\\x01\\x00\\x00Lw\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00<\\x00>\\x00x\r+\\x01\\x14\\x00\\x16\\x00\\xa0\r+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14\\x0c+\\x01\\x00\\\\xf6wh\\x97\\xcfU"
              }
            ],
            "repeated": 0,
            "id": 1897
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b00d8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8\\x0b+\\x018\\x02+\\x01\\xe0\\x0b+\\x01@\\x02+\\x010\\xf9*\\x01\\xe8\\x0b+\\x01\\x00\\x00\\xa8vps\\xa8v\\x000\\x02\\x00:\\x00<\\x00\\x98\\x0e+\\x01\\x12\\x00\\x14\\x00\\xc0\\x0e+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x004Q-\\x01\\x88[\\xf6w\\xd1\t\\xb0*"
              }
            ],
            "repeated": 0,
            "id": 1898
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0bd8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xc8\\xfe*\\x01\\xd8\\x00+\\x01\\xd0\\xfe*\\x01\\xe0\\x00+\\x01\\xe8\\x00+\\x01\\xd8\\xfe*\\x01\\x00\\x00\\x82v@\\x02\\x88v\\x00\\xd0\r\\x00B\\x00D\\x00\\x18\\x14+\\x01\\x1a\\x00\\x1c\\x00@\\x14+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\x04\\xff*\\x01t\\x02+\\x01\\xd4\r\\x89+"
              }
            ],
            "repeated": 0,
            "id": 1899
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b1418"
              },
              {
                "name": "Size",
                "value": "0x00000044"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00g\\x00d\\x00i\\x003\\x002\\x00f\\x00u\\x00l\\x00l\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1900
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "msvcp_win.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1901
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1902
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1903
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1904
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1905
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00tY-\\x010\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1906
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1907
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00dA-\\x01\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1908
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1909
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1910
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1911
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1912
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af650"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " \\xf9*\\x01\\xb0\\xf1*\\x01(\\xf9*\\x01\\xb8\\xf1*\\x01\\xc0\\xf1*\\x01`\\xed*\\x01\\x00\\x00\\x90v0\\xbf\\x93v\\x00\\xe0\\x0b\\x00<\\x00>\\x008\\xf7*\\x01\\x14\\x00\\x16\\x00`\\xf7*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x98[\\xf6w\\x8c\\xed*\\x01\\xb6\\xa0\\xb4\\x11"
              }
            ],
            "repeated": 0,
            "id": 1913
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af920"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "8\\x02+\\x01P\\xf6*\\x01@\\x02+\\x01X\\xf6*\\x01\\x98\\x01+\\x01\\xe8\\x00+\\x01\\x00\\x00\\xd1u\\x90\\xc9\\xd4u\\x00\\xb0\\x19\\x00<\\x00>\\x00H\\xfc*\\x01\\x14\\x00\\x16\\x00p\\xfc*\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\xc4B-\\x01\\x80[\\xf6w-\\xec\\xfb?"
              }
            ],
            "repeated": 0,
            "id": 1914
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8\\x00+\\x01 \\xf9*\\x01\\xe0\\x00+\\x01(\\xf9*\\x01\\xd8\\xfe*\\x01\\xc0\\xf1*\\x01\\x00\\x00Lw\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00<\\x00>\\x00x\r+\\x01\\x14\\x00\\x16\\x00\\xa0\r+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14\\x0c+\\x01\\x00\\\\xf6wh\\x97\\xcfU"
              }
            ],
            "repeated": 0,
            "id": 1915
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b00d8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8\\x0b+\\x018\\x02+\\x01\\xe0\\x0b+\\x01@\\x02+\\x010\\xf9*\\x01\\xe8\\x0b+\\x01\\x00\\x00\\xa8vps\\xa8v\\x000\\x02\\x00:\\x00<\\x00\\x98\\x0e+\\x01\\x12\\x00\\x14\\x00\\xc0\\x0e+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x004Q-\\x01\\x88[\\xf6w\\xd1\t\\xb0*"
              }
            ],
            "repeated": 0,
            "id": 1916
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0bd8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xc8\\xfe*\\x01\\xd8\\x00+\\x01\\xd0\\xfe*\\x01\\xe0\\x00+\\x01\\xe8\\x00+\\x01\\xd8\\xfe*\\x01\\x00\\x00\\x82v@\\x02\\x88v\\x00\\xd0\r\\x00B\\x00D\\x00\\x18\\x14+\\x01\\x1a\\x00\\x1c\\x00@\\x14+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\x04\\xff*\\x01t\\x02+\\x01\\xd4\r\\x89+"
              }
            ],
            "repeated": 0,
            "id": 1917
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012afec8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xe8\\x02+\\x01\\xd8\\x0b+\\x01\\xf0\\x02+\\x01\\xe0\\x0b+\\x01\\xe8\\x0b+\\x01H\\x02+\\x01\\x00\\x00\\v\\x00x]v\\x00\\xb0\\x07\\x00B\\x00D\\x00\\xb8\\x17+\\x01\\x1a\\x00\\x1c\\x00\\xe0\\x17+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00D\\x07+\\x01\\x14\\x0c+\\x01RDR\\xfd"
              }
            ],
            "repeated": 0,
            "id": 1918
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b17b8"
              },
              {
                "name": "Size",
                "value": "0x00000044"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00m\\x00s\\x00v\\x00c\\x00p\\x00_\\x00w\\x00i\\x00n\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1919
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ADVAPI32.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1920
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1921
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1922
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1923
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1924
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00tY-\\x010\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1925
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1926
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00dA-\\x01\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1927
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1928
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1929
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1930
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1931
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af650"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " \\xf9*\\x01\\xb0\\xf1*\\x01(\\xf9*\\x01\\xb8\\xf1*\\x01\\xc0\\xf1*\\x01`\\xed*\\x01\\x00\\x00\\x90v0\\xbf\\x93v\\x00\\xe0\\x0b\\x00<\\x00>\\x008\\xf7*\\x01\\x14\\x00\\x16\\x00`\\xf7*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x98[\\xf6w\\x8c\\xed*\\x01\\xb6\\xa0\\xb4\\x11"
              }
            ],
            "repeated": 0,
            "id": 1932
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af920"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "8\\x02+\\x01P\\xf6*\\x01@\\x02+\\x01X\\xf6*\\x01\\x98\\x01+\\x01\\xe8\\x00+\\x01\\x00\\x00\\xd1u\\x90\\xc9\\xd4u\\x00\\xb0\\x19\\x00<\\x00>\\x00H\\xfc*\\x01\\x14\\x00\\x16\\x00p\\xfc*\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\xc4B-\\x01\\x80[\\xf6w-\\xec\\xfb?"
              }
            ],
            "repeated": 0,
            "id": 1933
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8\\x00+\\x01 \\xf9*\\x01\\xe0\\x00+\\x01(\\xf9*\\x01\\xd8\\xfe*\\x01\\xc0\\xf1*\\x01\\x00\\x00Lw\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00<\\x00>\\x00x\r+\\x01\\x14\\x00\\x16\\x00\\xa0\r+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14\\x0c+\\x01\\x00\\\\xf6wh\\x97\\xcfU"
              }
            ],
            "repeated": 0,
            "id": 1934
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b00d8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8\\x0b+\\x018\\x02+\\x01\\xe0\\x0b+\\x01@\\x02+\\x010\\xf9*\\x01\\xe8\\x0b+\\x01\\x00\\x00\\xa8vps\\xa8v\\x000\\x02\\x00:\\x00<\\x00\\x98\\x0e+\\x01\\x12\\x00\\x14\\x00\\xc0\\x0e+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x004Q-\\x01\\x88[\\xf6w\\xd1\t\\xb0*"
              }
            ],
            "repeated": 0,
            "id": 1935
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0bd8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xc8\\xfe*\\x01\\xd8\\x00+\\x01\\xd0\\xfe*\\x01\\xe0\\x00+\\x01\\xe8\\x00+\\x01\\xd8\\xfe*\\x01\\x00\\x00\\x82v@\\x02\\x88v\\x00\\xd0\r\\x00B\\x00D\\x00\\x18\\x14+\\x01\\x1a\\x00\\x1c\\x00@\\x14+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\x04\\xff*\\x01t\\x02+\\x01\\xd4\r\\x89+"
              }
            ],
            "repeated": 0,
            "id": 1936
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012afec8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xe8\\x02+\\x01\\xd8\\x0b+\\x01\\xf0\\x02+\\x01\\xe0\\x0b+\\x01\\xe8\\x0b+\\x01H\\x02+\\x01\\x00\\x00\\v\\x00x]v\\x00\\xb0\\x07\\x00B\\x00D\\x00\\xb8\\x17+\\x01\\x1a\\x00\\x1c\\x00\\xe0\\x17+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00D\\x07+\\x01\\x14\\x0c+\\x01RDR\\xfd"
              }
            ],
            "repeated": 0,
            "id": 1937
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b02e8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x98\\x03+\\x01\\xc8\\xfe*\\x01\\xa0\\x03+\\x01\\xd0\\xfe*\\x01\\x88\\xff*\\x01(\\xfe*\\x01\\x00\\x00\\xeav\\x10\"\\xebv\\x00\\xb0\\x07\\x00@\\x00B\\x00\\x08\\x19+\\x01\\x18\\x00\\x1a\\x000\\x19+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x04@-\\x01`\\\\xf6wL\\x9dxd"
              }
            ],
            "repeated": 0,
            "id": 1938
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b1908"
              },
              {
                "name": "Size",
                "value": "0x00000042"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00A\\x00D\\x00V\\x00A\\x00P\\x00I\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1939
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "msvcrt.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1940
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1941
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1942
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1943
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1944
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00tY-\\x010\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1945
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1946
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00dA-\\x01\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1947
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1948
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1949
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1950
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1951
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af650"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " \\xf9*\\x01\\xb0\\xf1*\\x01(\\xf9*\\x01\\xb8\\xf1*\\x01\\xc0\\xf1*\\x01`\\xed*\\x01\\x00\\x00\\x90v0\\xbf\\x93v\\x00\\xe0\\x0b\\x00<\\x00>\\x008\\xf7*\\x01\\x14\\x00\\x16\\x00`\\xf7*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x98[\\xf6w\\x8c\\xed*\\x01\\xb6\\xa0\\xb4\\x11"
              }
            ],
            "repeated": 0,
            "id": 1952
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af920"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "8\\x02+\\x01P\\xf6*\\x01@\\x02+\\x01X\\xf6*\\x01\\x98\\x01+\\x01\\xe8\\x00+\\x01\\x00\\x00\\xd1u\\x90\\xc9\\xd4u\\x00\\xb0\\x19\\x00<\\x00>\\x00H\\xfc*\\x01\\x14\\x00\\x16\\x00p\\xfc*\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\xc4B-\\x01\\x80[\\xf6w-\\xec\\xfb?"
              }
            ],
            "repeated": 0,
            "id": 1953
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8\\x00+\\x01 \\xf9*\\x01\\xe0\\x00+\\x01(\\xf9*\\x01\\xd8\\xfe*\\x01\\xc0\\xf1*\\x01\\x00\\x00Lw\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00<\\x00>\\x00x\r+\\x01\\x14\\x00\\x16\\x00\\xa0\r+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14\\x0c+\\x01\\x00\\\\xf6wh\\x97\\xcfU"
              }
            ],
            "repeated": 0,
            "id": 1954
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b00d8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8\\x0b+\\x018\\x02+\\x01\\xe0\\x0b+\\x01@\\x02+\\x010\\xf9*\\x01\\xe8\\x0b+\\x01\\x00\\x00\\xa8vps\\xa8v\\x000\\x02\\x00:\\x00<\\x00\\x98\\x0e+\\x01\\x12\\x00\\x14\\x00\\xc0\\x0e+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x004Q-\\x01\\x88[\\xf6w\\xd1\t\\xb0*"
              }
            ],
            "repeated": 0,
            "id": 1955
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0bd8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xc8\\xfe*\\x01\\xd8\\x00+\\x01\\xd0\\xfe*\\x01\\xe0\\x00+\\x01\\xe8\\x00+\\x01\\xd8\\xfe*\\x01\\x00\\x00\\x82v@\\x02\\x88v\\x00\\xd0\r\\x00B\\x00D\\x00\\x18\\x14+\\x01\\x1a\\x00\\x1c\\x00@\\x14+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\x04\\xff*\\x01t\\x02+\\x01\\xd4\r\\x89+"
              }
            ],
            "repeated": 0,
            "id": 1956
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012afec8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xe8\\x02+\\x01\\xd8\\x0b+\\x01\\xf0\\x02+\\x01\\xe0\\x0b+\\x01\\xe8\\x0b+\\x01H\\x02+\\x01\\x00\\x00\\v\\x00x]v\\x00\\xb0\\x07\\x00B\\x00D\\x00\\xb8\\x17+\\x01\\x1a\\x00\\x1c\\x00\\xe0\\x17+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00D\\x07+\\x01\\x14\\x0c+\\x01RDR\\xfd"
              }
            ],
            "repeated": 0,
            "id": 1957
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b02e8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x98\\x03+\\x01\\xc8\\xfe*\\x01\\xa0\\x03+\\x01\\xd0\\xfe*\\x01\\x88\\xff*\\x01(\\xfe*\\x01\\x00\\x00\\xeav\\x10\"\\xebv\\x00\\xb0\\x07\\x00@\\x00B\\x00\\x08\\x19+\\x01\\x18\\x00\\x1a\\x000\\x19+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x04@-\\x01`\\\\xf6wL\\x9dxd"
              }
            ],
            "repeated": 0,
            "id": 1958
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0398"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x18\\xfe*\\x01\\xe8\\x02+\\x01 \\xfe*\\x01\\xf0\\x02+\\x01(\\xfe*\\x01\\x98\\x01+\\x01\\x00\\x00\\xdev\\xc0Z\\xe1v\\x00\\xf0\\x0b\\x00<\\x00>\\x00x\\x1a+\\x01\\x14\\x00\\x16\\x00\\xa0\\x1a+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x84E-\\x01\\xd8[\\xf6wPzV\\x7f"
              }
            ],
            "repeated": 0,
            "id": 1959
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b1a78"
              },
              {
                "name": "Size",
                "value": "0x0000003e"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00m\\x00s\\x00v\\x00c\\x00r\\x00t\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1960
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "sechost.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1961
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1962
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1963
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1964
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1965
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00tY-\\x010\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1966
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1967
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00dA-\\x01\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1968
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1969
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1970
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1971
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1972
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af650"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " \\xf9*\\x01\\xb0\\xf1*\\x01(\\xf9*\\x01\\xb8\\xf1*\\x01\\xc0\\xf1*\\x01`\\xed*\\x01\\x00\\x00\\x90v0\\xbf\\x93v\\x00\\xe0\\x0b\\x00<\\x00>\\x008\\xf7*\\x01\\x14\\x00\\x16\\x00`\\xf7*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x98[\\xf6w\\x8c\\xed*\\x01\\xb6\\xa0\\xb4\\x11"
              }
            ],
            "repeated": 0,
            "id": 1973
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af920"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "8\\x02+\\x01P\\xf6*\\x01@\\x02+\\x01X\\xf6*\\x01\\x98\\x01+\\x01\\xe8\\x00+\\x01\\x00\\x00\\xd1u\\x90\\xc9\\xd4u\\x00\\xb0\\x19\\x00<\\x00>\\x00H\\xfc*\\x01\\x14\\x00\\x16\\x00p\\xfc*\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\xc4B-\\x01\\x80[\\xf6w-\\xec\\xfb?"
              }
            ],
            "repeated": 0,
            "id": 1974
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8\\x00+\\x01 \\xf9*\\x01\\xe0\\x00+\\x01(\\xf9*\\x01\\xd8\\xfe*\\x01\\xc0\\xf1*\\x01\\x00\\x00Lw\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00<\\x00>\\x00x\r+\\x01\\x14\\x00\\x16\\x00\\xa0\r+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14\\x0c+\\x01\\x00\\\\xf6wh\\x97\\xcfU"
              }
            ],
            "repeated": 0,
            "id": 1975
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b00d8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8\\x0b+\\x018\\x02+\\x01\\xe0\\x0b+\\x01@\\x02+\\x010\\xf9*\\x01\\xe8\\x0b+\\x01\\x00\\x00\\xa8vps\\xa8v\\x000\\x02\\x00:\\x00<\\x00\\x98\\x0e+\\x01\\x12\\x00\\x14\\x00\\xc0\\x0e+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x004Q-\\x01\\x88[\\xf6w\\xd1\t\\xb0*"
              }
            ],
            "repeated": 0,
            "id": 1976
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0bd8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xc8\\xfe*\\x01\\xd8\\x00+\\x01\\xd0\\xfe*\\x01\\xe0\\x00+\\x01\\xe8\\x00+\\x01\\xd8\\xfe*\\x01\\x00\\x00\\x82v@\\x02\\x88v\\x00\\xd0\r\\x00B\\x00D\\x00\\x18\\x14+\\x01\\x1a\\x00\\x1c\\x00@\\x14+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\x04\\xff*\\x01t\\x02+\\x01\\xd4\r\\x89+"
              }
            ],
            "repeated": 0,
            "id": 1977
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012afec8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xe8\\x02+\\x01\\xd8\\x0b+\\x01\\xf0\\x02+\\x01\\xe0\\x0b+\\x01\\xe8\\x0b+\\x01H\\x02+\\x01\\x00\\x00\\v\\x00x]v\\x00\\xb0\\x07\\x00B\\x00D\\x00\\xb8\\x17+\\x01\\x1a\\x00\\x1c\\x00\\xe0\\x17+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00D\\x07+\\x01\\x14\\x0c+\\x01RDR\\xfd"
              }
            ],
            "repeated": 0,
            "id": 1978
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b02e8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x98\\x03+\\x01\\xc8\\xfe*\\x01\\xa0\\x03+\\x01\\xd0\\xfe*\\x01\\x88\\xff*\\x01(\\xfe*\\x01\\x00\\x00\\xeav\\x10\"\\xebv\\x00\\xb0\\x07\\x00@\\x00B\\x00\\x08\\x19+\\x01\\x18\\x00\\x1a\\x000\\x19+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x04@-\\x01`\\\\xf6wL\\x9dxd"
              }
            ],
            "repeated": 0,
            "id": 1979
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0398"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x18\\xfe*\\x01\\xe8\\x02+\\x01 \\xfe*\\x01\\xf0\\x02+\\x01(\\xfe*\\x01\\x98\\x01+\\x01\\x00\\x00\\xdev\\xc0Z\\xe1v\\x00\\xf0\\x0b\\x00<\\x00>\\x00x\\x1a+\\x01\\x14\\x00\\x16\\x00\\xa0\\x1a+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x84E-\\x01\\xd8[\\xf6wPzV\\x7f"
              }
            ],
            "repeated": 0,
            "id": 1980
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012afe18"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "H\\x04+\\x01\\x98\\x03+\\x01P\\x04+\\x01\\xa0\\x03+\\x01\\xf8\\x02+\\x01\\xa8\\x03+\\x01\\x00\\x007w \r9w\\x00`\\x07\\x00>\\x00@\\x00X%+\\x01\\x16\\x00\\x18\\x00\\x80%+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00DS-\\x01\\xf8[\\xf6wH\\xf4\\xe6L"
              }
            ],
            "repeated": 0,
            "id": 1981
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b2558"
              },
              {
                "name": "Size",
                "value": "0x00000040"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00e\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 1982
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ole32.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 1983
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 1984
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 1985
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 1986
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2d88"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "82*\\x01p.*\\x01@2*\\x01x.*\\x01\\xa07*\\x01\\x9c]\\xf6w\\x00\\x00\\xe4w\\x00\\x00\\x00\\x00\\x00@\\x1a\\x00:\\x00<\\x00\\x98,*\\x01\\x12\\x00\\x14\\x00\\x18\\x84\\xe4w\\xc4\\xaa\\x00\\x00\\xff\\xff\\x00\\x00 \\\\xf6w \\\\xf6w\\x06\\x01\\x04\\x10"
              }
            ],
            "repeated": 0,
            "id": 1987
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " 4*\\x01\\x88-*\\x01(4*\\x01\\x90-*\\x01hC*\\x0104*\\x01\\x00\\x00\\x16t\\x00\\xf1\\x18t\\x00 \\x05\\x00>\\x00@\\x00 3*\\x01\\x16\\x00\\x18\\x00H3*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00tY-\\x010\\\\xf6w\\x9b\\xa3\\xe7\\xe5"
              }
            ],
            "repeated": 0,
            "id": 1988
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3420"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x907*\\x0182*\\x01\\x987*\\x01@2*\\x01H2*\\x01\\xa07*\\x01\\x00\\x00\\xabv@\\xf6\\xacv\\x00\\x00\\x0f\\x00@\\x00B\\x00\\x085*\\x01\\x18\\x00\\x1a\\x0005*\\x01\\xcc\\xaa\\x0c\\x00\\xff\\xff\\x00\\x00\\x10\\\\xf6w\\x10\\\\xf6wagV "
              }
            ],
            "repeated": 0,
            "id": 1989
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a3790"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "XC*\\x01 4*\\x01`C*\\x01(4*\\x0104*\\x01\\x98-*\\x01\\x00\\x00\\x15w@s&w\\x00\\x90!\\x00D\\x00F\\x00x8*\\x01\\x1c\\x00\\x1e\\x00\\xa08*\\x01\\xcc\\xaa\\x08\\x00\\xff\\xff\\x00\\x00dA-\\x01\\xa0[\\xf6w\\\\x0e\\xd2\\xa5"
              }
            ],
            "repeated": 0,
            "id": 1990
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a4358"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xed*\\x01\\x907*\\x01X\\xed*\\x01\\x987*\\x01p\\xef*\\x01H2*\\x01\\x00\\x00\\x0bup\\x88\\x0eu\\x00\\xf0\t\\x00>\\x00@\\x00@D*\\x01\\x16\\x00\\x18\\x00hD*\\x01\\xcc\\xab\\x0c\\x80\\xff\\xff\\x00\\x00@\\\\xf6w@\\\\xf6w\\x1c;a\\x1a"
              }
            ],
            "repeated": 0,
            "id": 1991
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aed50"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "`\\xef*\\x01XC*\\x01h\\xef*\\x01`C*\\x01`\\xf6*\\x01p\\xef*\\x01\\x00\\x00\\xc8vpP\\xcdv\\x00\\xa0\\x0f\\x00>\\x00@\\x00\\xb0\\xe6*\\x01\\x16\\x00\\x18\\x00\\xd8\\xe6*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x8c\\xf6*\\x01\\x98[\\xf6w\\x95\\x03]\\x1d"
              }
            ],
            "repeated": 0,
            "id": 1992
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012aef60"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xb0\\xf1*\\x01P\\xed*\\x01\\xb8\\xf1*\\x01X\\xed*\\x01`\\xed*\\x01hC*\\x01\\x00\\x00\\xf4u0\\xba\\xf6u\\x00\\x00\\x12\\x00@\\x00B\\x00H\\xf0*\\x01\\x18\\x00\\x1a\\x00p\\xf0*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14B-\\x01\\xac.*\\x01\\xa2\\x99\\xdc\\x82"
              }
            ],
            "repeated": 0,
            "id": 1993
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af1b0"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "P\\xf6*\\x01`\\xef*\\x01X\\xf6*\\x01h\\xef*\\x01H\\x02+\\x01`\\xf6*\\x01\\x00\\x00dv@Kdv\\x000\\x06\\x00<\\x00>\\x00\\x98\\xf2*\\x01\\x14\\x00\\x16\\x00\\xc0\\xf2*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\xc4\\x01+\\x01p\\\\xf6w!\t\\xac\\xf9"
              }
            ],
            "repeated": 0,
            "id": 1994
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af650"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": " \\xf9*\\x01\\xb0\\xf1*\\x01(\\xf9*\\x01\\xb8\\xf1*\\x01\\xc0\\xf1*\\x01`\\xed*\\x01\\x00\\x00\\x90v0\\xbf\\x93v\\x00\\xe0\\x0b\\x00<\\x00>\\x008\\xf7*\\x01\\x14\\x00\\x16\\x00`\\xf7*\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x98[\\xf6w\\x8c\\xed*\\x01\\xb6\\xa0\\xb4\\x11"
              }
            ],
            "repeated": 0,
            "id": 1995
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012af920"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "8\\x02+\\x01P\\xf6*\\x01@\\x02+\\x01X\\xf6*\\x01\\x98\\x01+\\x01\\xe8\\x00+\\x01\\x00\\x00\\xd1u\\x90\\xc9\\xd4u\\x00\\xb0\\x19\\x00<\\x00>\\x00H\\xfc*\\x01\\x14\\x00\\x16\\x00p\\xfc*\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\xc4B-\\x01\\x80[\\xf6w-\\xec\\xfb?"
              }
            ],
            "repeated": 0,
            "id": 1996
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0238"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8\\x00+\\x01 \\xf9*\\x01\\xe0\\x00+\\x01(\\xf9*\\x01\\xd8\\xfe*\\x01\\xc0\\xf1*\\x01\\x00\\x00Lw\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00<\\x00>\\x00x\r+\\x01\\x14\\x00\\x16\\x00\\xa0\r+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x14\\x0c+\\x01\\x00\\\\xf6wh\\x97\\xcfU"
              }
            ],
            "repeated": 0,
            "id": 1997
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b00d8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xd8\\x0b+\\x018\\x02+\\x01\\xe0\\x0b+\\x01@\\x02+\\x010\\xf9*\\x01\\xe8\\x0b+\\x01\\x00\\x00\\xa8vps\\xa8v\\x000\\x02\\x00:\\x00<\\x00\\x98\\x0e+\\x01\\x12\\x00\\x14\\x00\\xc0\\x0e+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x004Q-\\x01\\x88[\\xf6w\\xd1\t\\xb0*"
              }
            ],
            "repeated": 0,
            "id": 1998
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0bd8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xc8\\xfe*\\x01\\xd8\\x00+\\x01\\xd0\\xfe*\\x01\\xe0\\x00+\\x01\\xe8\\x00+\\x01\\xd8\\xfe*\\x01\\x00\\x00\\x82v@\\x02\\x88v\\x00\\xd0\r\\x00B\\x00D\\x00\\x18\\x14+\\x01\\x1a\\x00\\x1c\\x00@\\x14+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00\\x04\\xff*\\x01t\\x02+\\x01\\xd4\r\\x89+"
              }
            ],
            "repeated": 0,
            "id": 1999
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012afec8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\xe8\\x02+\\x01\\xd8\\x0b+\\x01\\xf0\\x02+\\x01\\xe0\\x0b+\\x01\\xe8\\x0b+\\x01H\\x02+\\x01\\x00\\x00\\v\\x00x]v\\x00\\xb0\\x07\\x00B\\x00D\\x00\\xb8\\x17+\\x01\\x1a\\x00\\x1c\\x00\\xe0\\x17+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00D\\x07+\\x01\\x14\\x0c+\\x01RDR\\xfd"
              }
            ],
            "repeated": 0,
            "id": 2000
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b02e8"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x98\\x03+\\x01\\xc8\\xfe*\\x01\\xa0\\x03+\\x01\\xd0\\xfe*\\x01\\x88\\xff*\\x01(\\xfe*\\x01\\x00\\x00\\xeav\\x10\"\\xebv\\x00\\xb0\\x07\\x00@\\x00B\\x00\\x08\\x19+\\x01\\x18\\x00\\x1a\\x000\\x19+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\x00\\x00\\x04@-\\x01`\\\\xf6wL\\x9dxd"
              }
            ],
            "repeated": 0,
            "id": 2001
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0398"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x18\\xfe*\\x01\\xe8\\x02+\\x01 \\xfe*\\x01\\xf0\\x02+\\x01(\\xfe*\\x01\\x98\\x01+\\x01\\x00\\x00\\xdev\\xc0Z\\xe1v\\x00\\xf0\\x0b\\x00<\\x00>\\x00x\\x1a+\\x01\\x14\\x00\\x16\\x00\\xa0\\x1a+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\x84E-\\x01\\xd8[\\xf6wPzV\\x7f"
              }
            ],
            "repeated": 0,
            "id": 2002
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012afe18"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "H\\x04+\\x01\\x98\\x03+\\x01P\\x04+\\x01\\xa0\\x03+\\x01\\xf8\\x02+\\x01\\xa8\\x03+\\x01\\x00\\x007w \r9w\\x00`\\x07\\x00>\\x00@\\x00X%+\\x01\\x16\\x00\\x18\\x00\\x80%+\\x01\\xcc\\xaa\\x0c\\x80\\x06\\x00\\x00\\x00DS-\\x01\\xf8[\\xf6wH\\xf4\\xe6L"
              }
            ],
            "repeated": 0,
            "id": 2003
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b0448"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "x\\xff*\\x01\\x18\\xfe*\\x01\\x80\\xff*\\x01 \\xfe*\\x01h\\x06+\\x01\\x88\\xff*\\x01\\x00\\x00\\x06w\\xf0\\xc8\\x08w\\x000\\x0e\\x00:\\x00<\\x00P'+\\x01\\x12\\x00\\x14\\x00x'+\\x01\\xcc\\xaa\\x08\\x80\\x06\\x00\\xff\\xff\\xf4\\x07+\\x01h\\\\xf6w/\\xad(S"
              }
            ],
            "repeated": 0,
            "id": 2004
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012b2750"
              },
              {
                "name": "Size",
                "value": "0x0000003c"
              },
              {
                "name": "Buffer",
                "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00o\\x00l\\x00e\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2005
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "combase.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2006
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x00e2e00c"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "\\x80]\\xf6w"
              }
            ],
            "repeated": 0,
            "id": 2007
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f65d94"
              },
              {
                "name": "Size",
                "value": "0x00000004"
              },
              {
                "name": "Buffer",
                "value": "x.*\\x01"
              }
            ],
            "repeated": 0,
            "id": 2008
          },
          {
            "timestamp": "2026-04-16 20:00:23,033",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtReadVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              },
              {
                "name": "BaseAddress",
                "value": "0x012a2e70"
              },
              {
                "name": "Size",
                "value": "0x00000048"
              },
              {
                "name": "Buffer",
                "value": "\\x88-*\\x01\\x8c]\\xf6w\\x90-*\\x01\\x94]\\xf6w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x16\\x00Z\\x00\\\\x00\\x88\\x1d*\\x01\\x18\\x00\\x1a\\x00\\xca\\x1d*\\x01\\xc4\"@\\x01\\xff\\xff\\x00\\x00\\x9c\\xef*\\x018\\\\xf6w\t\\x9d\\x93U"
              }
            ],
            "repeated": 0,
            "id": 2009
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "OLEAUT32.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2010
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "SHLWAPI.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2011
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "bcrypt.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2012
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "IMM32.DLL"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2013
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "CRYPTBASE.DLL"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2014
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "SspiCli.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2015
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscoreei.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2016
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "kernel.appcore.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2017
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "VERSION.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2018
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscorwks.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2019
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSVCR80.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2020
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "shell32.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2021
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2022
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "Wldp.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2023
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "SHCORE.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2024
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "profapi.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2025
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscorlib.ni.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2026
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "bcryptPrimitives.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2027
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "uxtheme.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2028
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mscorjit.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2029
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "System.ni.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2030
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "psapi.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2031
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "Microsoft.VisualBasic.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2032
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "System.Drawing.ni.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2033
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "System.Windows.Forms.ni.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2034
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "System.Runtime.Remoting.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2035
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "mswsock.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2036
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "System.Configuration.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2037
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "System.Xml.ni.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2038
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "CRYPTSP.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2039
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "rsaenh.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2040
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "MSCTF.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2041
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "gdiplus.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2042
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "DWrite.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2043
          },
          {
            "timestamp": "2026-04-16 20:00:23,049",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "WindowsCodecs.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2044
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "comctl32.dll"
              },
              {
                "name": "ModuleID",
                "value": "1"
              },
              {
                "name": "ProcessId",
                "value": "7684"
              }
            ],
            "repeated": 0,
            "id": 2045
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "Module32NextW",
            "status": false,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2046
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 2047
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2048
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 2049
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2050
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 2051
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "NewUserDefaultConsent"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\NewUserDefaultConsent"
              }
            ],
            "repeated": 0,
            "id": 2052
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 2053
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2054
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 2055
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2056
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 2057
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "DontSendAdditionalData"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData"
              }
            ],
            "repeated": 0,
            "id": 2058
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "Disabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled"
              }
            ],
            "repeated": 0,
            "id": 2059
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "Disabled"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled"
              }
            ],
            "repeated": 0,
            "id": 2060
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 2061
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e4"
              },
              {
                "name": "ValueName",
                "value": "DefaultConsent"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
              }
            ],
            "repeated": 0,
            "id": 2062
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e4"
              },
              {
                "name": "ValueName",
                "value": "DefaultConsent"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
              }
            ],
            "repeated": 0,
            "id": 2063
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e4"
              }
            ],
            "repeated": 0,
            "id": 2064
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 2065
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e4"
              },
              {
                "name": "ValueName",
                "value": "DefaultOverrideBehavior"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior"
              }
            ],
            "repeated": 0,
            "id": 2066
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e4"
              }
            ],
            "repeated": 0,
            "id": 2067
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "LoggingDisabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled"
              }
            ],
            "repeated": 0,
            "id": 2068
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "DontShowUI"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI"
              }
            ],
            "repeated": 0,
            "id": 2069
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "QueuePesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval"
              }
            ],
            "repeated": 0,
            "id": 2070
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ObjectAttributesName",
                "value": "DebugApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications"
              }
            ],
            "repeated": 0,
            "id": 2071
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "BypassDataThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling"
              }
            ],
            "repeated": 0,
            "id": 2072
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "ForceUserModeCabCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection"
              }
            ],
            "repeated": 0,
            "id": 2073
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "BypassPowerThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling"
              }
            ],
            "repeated": 0,
            "id": 2074
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "BypassNetworkCostThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling"
              }
            ],
            "repeated": 0,
            "id": 2075
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "QueueNoPesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval"
              }
            ],
            "repeated": 0,
            "id": 2076
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "AutoApproveOSDumps"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps"
              }
            ],
            "repeated": 0,
            "id": 2077
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "LiveReportFlushInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval"
              }
            ],
            "repeated": 0,
            "id": 2078
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 2079
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2080
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 2081
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2082
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 2083
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "DontSendAdditionalData"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData"
              }
            ],
            "repeated": 0,
            "id": 2084
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 2085
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "LoggingDisabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled"
              }
            ],
            "repeated": 0,
            "id": 2086
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "DontShowUI"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI"
              }
            ],
            "repeated": 0,
            "id": 2087
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "QueuePesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval"
              }
            ],
            "repeated": 0,
            "id": 2088
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ObjectAttributesName",
                "value": "DebugApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications"
              }
            ],
            "repeated": 0,
            "id": 2089
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "BypassDataThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling"
              }
            ],
            "repeated": 0,
            "id": 2090
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "ForceUserModeCabCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection"
              }
            ],
            "repeated": 0,
            "id": 2091
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "BypassPowerThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling"
              }
            ],
            "repeated": 0,
            "id": 2092
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "BypassNetworkCostThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling"
              }
            ],
            "repeated": 0,
            "id": 2093
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "QueueNoPesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval"
              }
            ],
            "repeated": 0,
            "id": 2094
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "AutoApproveOSDumps"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps"
              }
            ],
            "repeated": 0,
            "id": 2095
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "LiveReportFlushInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval"
              }
            ],
            "repeated": 0,
            "id": 2096
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 2097
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2098
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 2099
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2100
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 2101
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "DontSendAdditionalData"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData"
              }
            ],
            "repeated": 0,
            "id": 2102
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 2103
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "DefaultOverrideBehavior"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior"
              }
            ],
            "repeated": 0,
            "id": 2104
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e8"
              }
            ],
            "repeated": 0,
            "id": 2105
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "LoggingDisabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled"
              }
            ],
            "repeated": 0,
            "id": 2106
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "DontShowUI"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI"
              }
            ],
            "repeated": 0,
            "id": 2107
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "QueuePesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval"
              }
            ],
            "repeated": 0,
            "id": 2108
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "ForceQueue"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue"
              }
            ],
            "repeated": 0,
            "id": 2109
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "MaxQueueCount"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount"
              }
            ],
            "repeated": 0,
            "id": 2110
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "MaxArchiveCount"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount"
              }
            ],
            "repeated": 0,
            "id": 2111
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "ConfigureArchive"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive"
              }
            ],
            "repeated": 0,
            "id": 2112
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "DisableArchive"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive"
              }
            ],
            "repeated": 0,
            "id": 2113
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ObjectAttributesName",
                "value": "DebugApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications"
              }
            ],
            "repeated": 0,
            "id": 2114
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerServer"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer"
              }
            ],
            "repeated": 0,
            "id": 2115
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerUseSSL"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL"
              }
            ],
            "repeated": 0,
            "id": 2116
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerPortNumber"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber"
              }
            ],
            "repeated": 0,
            "id": 2117
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerUseAuthentication"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication"
              }
            ],
            "repeated": 0,
            "id": 2118
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "BypassDataThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling"
              }
            ],
            "repeated": 0,
            "id": 2119
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "ForceUserModeCabCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection"
              }
            ],
            "repeated": 0,
            "id": 2120
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "BypassPowerThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling"
              }
            ],
            "repeated": 0,
            "id": 2121
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "BypassNetworkCostThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling"
              }
            ],
            "repeated": 0,
            "id": 2122
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "QueueNoPesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval"
              }
            ],
            "repeated": 0,
            "id": 2123
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "AutoApproveOSDumps"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps"
              }
            ],
            "repeated": 0,
            "id": 2124
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "MinFreeDiskSpace"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace"
              }
            ],
            "repeated": 0,
            "id": 2125
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "LiveReportFlushInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval"
              }
            ],
            "repeated": 0,
            "id": 2126
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "CabArchiveFolder"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder"
              }
            ],
            "repeated": 0,
            "id": 2127
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "ForceHeapDump"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump"
              }
            ],
            "repeated": 0,
            "id": 2128
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "ForceMetadata"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata"
              }
            ],
            "repeated": 0,
            "id": 2129
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "Source"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Source"
              }
            ],
            "repeated": 0,
            "id": 2130
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "User"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\User"
              }
            ],
            "repeated": 0,
            "id": 2131
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "StorePath"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\StorePath"
              }
            ],
            "repeated": 0,
            "id": 2132
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "ForceEtw"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw"
              }
            ],
            "repeated": 0,
            "id": 2133
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerUploadOnFreeNetworksOnly"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly"
              }
            ],
            "repeated": 0,
            "id": 2134
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "UploadOnFreeNetworksOnly"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly"
              }
            ],
            "repeated": 0,
            "id": 2135
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "CabArchiveSeparate"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate"
              }
            ],
            "repeated": 0,
            "id": 2136
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "CabArchiveCreate"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate"
              }
            ],
            "repeated": 0,
            "id": 2137
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "LocalCompression"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression"
              }
            ],
            "repeated": 0,
            "id": 2138
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "DisableWerUpload"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload"
              }
            ],
            "repeated": 0,
            "id": 2139
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "DisableEnterpriseAuthProxy"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy"
              }
            ],
            "repeated": 0,
            "id": 2140
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "ArchiveFolderCountLimit"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit"
              }
            ],
            "repeated": 0,
            "id": 2141
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "QueueSizeMaxPercentFreeDisk"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk"
              }
            ],
            "repeated": 0,
            "id": 2142
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "MinQueueSize"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize"
              }
            ],
            "repeated": 0,
            "id": 2143
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "MaxRetriesForSasRenewal"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal"
              }
            ],
            "repeated": 0,
            "id": 2144
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "NoHeapDumpOnQueue"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue"
              }
            ],
            "repeated": 0,
            "id": 2145
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "DeferCabUpload"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload"
              }
            ],
            "repeated": 0,
            "id": 2146
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 2147
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2148
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 2149
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2150
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2151
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 2152
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 2153
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 2154
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2155
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 2156
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2157
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 2158
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2159
          },
          {
            "timestamp": "2026-04-16 20:00:23,064",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 2160
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 2161
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x70000000"
              }
            ],
            "repeated": 0,
            "id": 2162
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x70000000"
              }
            ],
            "repeated": 0,
            "id": 2163
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x70000000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700121f0"
              }
            ],
            "repeated": 0,
            "id": 2164
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x70000000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700143f0"
              }
            ],
            "repeated": 0,
            "id": 2165
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7007b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2166
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7007b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2167
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2168
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 2169
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 2170
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 2171
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 2172
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 2173
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 2174
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7007b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2175
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7007b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2176
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 2177
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 2178
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 2179
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 2180
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 2181
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 2182
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 2183
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 2184
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 2185
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 2186
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 2187
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 2188
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2189
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2190
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 2191
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 2192
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2193
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2194
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 2195
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2196
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 2197
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 2198
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2199
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ec"
              }
            ],
            "repeated": 0,
            "id": 2200
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 2201
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2202
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 2203
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x70000000"
              }
            ],
            "repeated": 0,
            "id": 2204
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 2205
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2206
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2207
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x752a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 2208
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2209
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2210
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70000000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 2211
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2212
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 2213
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2214
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 2215
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2216
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 2217
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2218
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 2219
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2220
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 2221
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 2222
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 2223
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2224
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2225
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 2226
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2227
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2228
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 2229
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 2230
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 2231
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2232
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 2233
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2234
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 2235
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2236
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 2237
          },
          {
            "timestamp": "2026-04-16 20:00:23,080",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 2238
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x70000000"
              }
            ],
            "repeated": 0,
            "id": 2239
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x70000000"
              }
            ],
            "repeated": 0,
            "id": 2240
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x70000000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700121f0"
              }
            ],
            "repeated": 0,
            "id": 2241
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x70000000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700143f0"
              }
            ],
            "repeated": 0,
            "id": 2242
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7007b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2243
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7007b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2244
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2245
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 2246
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 2247
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 2248
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 2249
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 2250
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 2251
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7007b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2252
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7007b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2253
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 2254
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 2255
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 2256
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 2257
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 2258
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 2259
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 2260
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 2261
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 2262
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 2263
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 2264
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 2265
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e8"
              }
            ],
            "repeated": 0,
            "id": 2266
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2267
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 2268
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 2269
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e8"
              }
            ],
            "repeated": 0,
            "id": 2270
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2271
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 2272
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2273
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 2274
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 2275
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e8"
              }
            ],
            "repeated": 0,
            "id": 2276
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 2277
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ec"
              }
            ],
            "repeated": 0,
            "id": 2278
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2279
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 2280
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x70000000"
              }
            ],
            "repeated": 0,
            "id": 2281
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 2282
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2283
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2284
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x752a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 2285
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2286
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2287
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70000000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 2288
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2289
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 2290
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2291
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 2292
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002ec"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2293
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ec"
              }
            ],
            "repeated": 0,
            "id": 2294
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2295
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 2296
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2297
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 2298
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002ec"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 2299
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ec"
              }
            ],
            "repeated": 0,
            "id": 2300
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2301
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2302
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 2303
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2304
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2305
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 2306
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002ec"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 2307
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ec"
              }
            ],
            "repeated": 0,
            "id": 2308
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2309
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 2310
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2311
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 2312
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002ec"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2313
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ec"
              }
            ],
            "repeated": 0,
            "id": 2314
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 2315
          },
          {
            "timestamp": "2026-04-16 20:00:23,096",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x70000000"
              }
            ],
            "repeated": 0,
            "id": 2316
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x70000000"
              }
            ],
            "repeated": 0,
            "id": 2317
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x70000000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700121f0"
              }
            ],
            "repeated": 0,
            "id": 2318
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x70000000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x700143f0"
              }
            ],
            "repeated": 0,
            "id": 2319
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7007b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2320
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7007b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2321
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2322
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 2323
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 2324
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 2325
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 2326
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 2327
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 2328
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7007b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2329
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7007b000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2330
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 2331
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 2332
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 2333
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 2334
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 2335
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 2336
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 2337
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 2338
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 2339
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 2340
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 2341
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 2342
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 2343
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2344
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 2345
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 2346
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 2347
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2348
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 2349
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2350
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 2351
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 2352
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 2353
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2354
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ec"
              }
            ],
            "repeated": 0,
            "id": 2355
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2356
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 2357
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x70000000"
              }
            ],
            "repeated": 0,
            "id": 2358
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 2359
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2360
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2361
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x752a0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 2362
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2363
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2364
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70000000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 2365
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2366
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 2367
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2368
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 2369
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002ec"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2370
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ec"
              }
            ],
            "repeated": 0,
            "id": 2371
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2372
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 2373
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2374
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 2375
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002ec"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 2376
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ec"
              }
            ],
            "repeated": 0,
            "id": 2377
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2378
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2379
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Policies\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 2380
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2381
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 2382
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002ec"
              },
              {
                "name": "ValueName",
                "value": "MSFTInternal"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal"
              }
            ],
            "repeated": 0,
            "id": 2383
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ec"
              }
            ],
            "repeated": 0,
            "id": 2384
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2385
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Policies\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 2386
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2387
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 2388
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002ec"
              },
              {
                "name": "ValueName",
                "value": "IsTest"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest"
              }
            ],
            "repeated": 0,
            "id": 2389
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ec"
              }
            ],
            "repeated": 0,
            "id": 2390
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2391
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x04143000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2392
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00"
              }
            ],
            "repeated": 0,
            "id": 2393
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2394
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2395
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2396
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00"
              }
            ],
            "repeated": 0,
            "id": 2397
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ec"
              }
            ],
            "repeated": 0,
            "id": 2398
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              }
            ],
            "repeated": 1,
            "id": 2399
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp"
              },
              {
                "name": "CreateDisposition",
                "value": "2",
                "pretty_value": "FILE_CREATE"
              },
              {
                "name": "ShareAccess",
                "value": "0"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2400
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ec"
              }
            ],
            "repeated": 0,
            "id": 2401
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00110080",
                "pretty_value": "FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2402
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "f\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00W\\x00E\\x00R\\x002\\x00D\\x00B\\x003\\x00.\\x00t\\x00m\\x00p\\x00"
              }
            ],
            "repeated": 0,
            "id": 2403
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2404
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2405
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2406
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "f\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00W\\x00E\\x00R\\x002\\x00D\\x00B\\x003\\x00.\\x00t\\x00m\\x00p\\x00"
              }
            ],
            "repeated": 0,
            "id": 2407
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2408
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp"
              }
            ],
            "repeated": 0,
            "id": 2409
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c73e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 2410
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2411
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c73e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 2412
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2413
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c78a0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 2414
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2415
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c73e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xa8ff7128"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01dccddb"
              }
            ],
            "repeated": 0,
            "id": 2416
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2417
          },
          {
            "timestamp": "2026-04-16 20:00:23,111",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2418
          },
          {
            "timestamp": "2026-04-16 20:00:23,127",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtSetInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp"
              },
              {
                "name": "FileInformationClass",
                "value": "13",
                "pretty_value": "FileDispositionInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x01"
              }
            ],
            "repeated": 0,
            "id": 2419
          },
          {
            "timestamp": "2026-04-16 20:00:23,127",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ec"
              }
            ],
            "repeated": 0,
            "id": 2420
          },
          {
            "timestamp": "2026-04-16 20:00:23,127",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00110080",
                "pretty_value": "FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2421
          },
          {
            "timestamp": "2026-04-16 20:00:23,127",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0xc0100080",
                "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "CreateDisposition",
                "value": "2",
                "pretty_value": "FILE_CREATE"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2422
          },
          {
            "timestamp": "2026-04-16 20:00:23,127",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x96\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00W\\x00E\\x00R\\x002\\x00D\\x00B\\x003\\x00.\\x00t\\x00m\\x00p\\x00.\\x00W\\x00E\\x00R\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00M\\x00e\\x00t\\x00a\\x00d\\x00a\\x00t\\x00a\\x00.\\x00x\\x00m\\x00l\\x00"
              }
            ],
            "repeated": 0,
            "id": 2423
          },
          {
            "timestamp": "2026-04-16 20:00:23,127",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002f4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2424
          },
          {
            "timestamp": "2026-04-16 20:00:23,127",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002f4"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2425
          },
          {
            "timestamp": "2026-04-16 20:00:23,127",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f4"
              }
            ],
            "repeated": 0,
            "id": 2426
          },
          {
            "timestamp": "2026-04-16 20:00:23,127",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x96\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00W\\x00E\\x00R\\x002\\x00D\\x00B\\x003\\x00.\\x00t\\x00m\\x00p\\x00.\\x00W\\x00E\\x00R\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00M\\x00e\\x00t\\x00a\\x00d\\x00a\\x00t\\x00a\\x00.\\x00x\\x00m\\x00l\\x00"
              }
            ],
            "repeated": 0,
            "id": 2427
          },
          {
            "timestamp": "2026-04-16 20:00:23,127",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2428
          },
          {
            "timestamp": "2026-04-16 20:00:23,127",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              }
            ],
            "repeated": 0,
            "id": 2429
          },
          {
            "timestamp": "2026-04-16 20:00:23,127",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c76e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 2430
          },
          {
            "timestamp": "2026-04-16 20:00:23,127",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f4"
              }
            ],
            "repeated": 0,
            "id": 2431
          },
          {
            "timestamp": "2026-04-16 20:00:23,127",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c73e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 2432
          },
          {
            "timestamp": "2026-04-16 20:00:23,127",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f4"
              }
            ],
            "repeated": 0,
            "id": 2433
          },
          {
            "timestamp": "2026-04-16 20:00:23,127",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c77e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 2434
          },
          {
            "timestamp": "2026-04-16 20:00:23,127",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f4"
              }
            ],
            "repeated": 0,
            "id": 2435
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 1,
            "id": 2436
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              }
            ],
            "repeated": 0,
            "id": 2437
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c73e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 2438
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f8"
              }
            ],
            "repeated": 0,
            "id": 2439
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c76e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 2440
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f8"
              }
            ],
            "repeated": 0,
            "id": 2441
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005c76e0",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 2442
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f8"
              }
            ],
            "repeated": 0,
            "id": 2443
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2444
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\\xff\\xfe"
              },
              {
                "name": "Length",
                "value": "2"
              }
            ],
            "repeated": 0,
            "id": 2445
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "<\\x00?\\x00x\\x00m\\x00l\\x00 \\x00v\\x00e\\x00r\\x00s\\x00i\\x00o\\x00n\\x00=\\x00\"\\x001\\x00.\\x000\\x00\"\\x00 \\x00e\\x00n\\x00c\\x00o\\x00d\\x00i\\x00n\\x00g\\x00=\\x00\"\\x00U\\x00T\\x00F\\x00-\\x001\\x006\\x00\"\\x00?\\x00>\\x00"
              },
              {
                "name": "Length",
                "value": "78"
              }
            ],
            "repeated": 0,
            "id": 2446
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\r\\x00\n\\x00"
              },
              {
                "name": "Length",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2447
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "<\\x00W\\x00E\\x00R\\x00R\\x00e\\x00p\\x00o\\x00r\\x00t\\x00M\\x00e\\x00t\\x00a\\x00d\\x00a\\x00t\\x00a\\x00>\\x00"
              },
              {
                "name": "Length",
                "value": "38"
              }
            ],
            "repeated": 0,
            "id": 2448
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 2449
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 2450
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 2451
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2452
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              }
            ],
            "repeated": 0,
            "id": 2453
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "ValueName",
                "value": "ProductName"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName"
              }
            ],
            "repeated": 0,
            "id": 2454
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "ValueName",
                "value": "ProductName"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Windows 10 Pro"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName"
              }
            ],
            "repeated": 0,
            "id": 2455
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f4"
              }
            ],
            "repeated": 0,
            "id": 2456
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2457
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              }
            ],
            "repeated": 0,
            "id": 2458
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "ValueName",
                "value": "EditionID"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID"
              }
            ],
            "repeated": 0,
            "id": 2459
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "ValueName",
                "value": "EditionID"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Professional"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID"
              }
            ],
            "repeated": 0,
            "id": 2460
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f4"
              }
            ],
            "repeated": 0,
            "id": 2461
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2462
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              }
            ],
            "repeated": 0,
            "id": 2463
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "ValueName",
                "value": "Ubr"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "2006"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Ubr"
              }
            ],
            "repeated": 0,
            "id": 2464
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f4"
              }
            ],
            "repeated": 0,
            "id": 2465
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2466
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              }
            ],
            "repeated": 0,
            "id": 2467
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "ValueName",
                "value": "UBR"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "2006"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UBR"
              }
            ],
            "repeated": 0,
            "id": 2468
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f4"
              }
            ],
            "repeated": 0,
            "id": 2469
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2470
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              }
            ],
            "repeated": 0,
            "id": 2471
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "ValueName",
                "value": "BuildLabEx"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx"
              }
            ],
            "repeated": 0,
            "id": 2472
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "ValueName",
                "value": "BuildLabEx"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "19041.1.amd64fre.vb_release.191206-1406"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx"
              }
            ],
            "repeated": 0,
            "id": 2473
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f4"
              }
            ],
            "repeated": 0,
            "id": 2474
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2475
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              }
            ],
            "repeated": 0,
            "id": 2476
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "ValueName",
                "value": "BuildBranch"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildBranch"
              }
            ],
            "repeated": 0,
            "id": 2477
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "ValueName",
                "value": "BuildBranch"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "vb_release"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildBranch"
              }
            ],
            "repeated": 0,
            "id": 2478
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f4"
              }
            ],
            "repeated": 0,
            "id": 2479
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2480
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              }
            ],
            "repeated": 0,
            "id": 2481
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "ValueName",
                "value": "CurrentType"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType"
              }
            ],
            "repeated": 0,
            "id": 2482
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f4"
              },
              {
                "name": "ValueName",
                "value": "CurrentType"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Multiprocessor Free"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType"
              }
            ],
            "repeated": 0,
            "id": 2483
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f4"
              }
            ],
            "repeated": 0,
            "id": 2484
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\r\\x00\n\\x00"
              },
              {
                "name": "Length",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2485
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\t\\x00"
              },
              {
                "name": "Length",
                "value": "2"
              }
            ],
            "repeated": 0,
            "id": 2486
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "<\\x00O\\x00S\\x00V\\x00e\\x00r\\x00s\\x00i\\x00o\\x00n\\x00I\\x00n\\x00f\\x00o\\x00r\\x00m\\x00a\\x00t\\x00i\\x00o\\x00n\\x00>\\x00"
              },
              {
                "name": "Length",
                "value": "44"
              }
            ],
            "repeated": 0,
            "id": 2487
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\r\\x00\n\\x00"
              },
              {
                "name": "Length",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2488
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\t\\x00"
              },
              {
                "name": "Length",
                "value": "2"
              }
            ],
            "repeated": 1,
            "id": 2489
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "<\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00N\\x00T\\x00V\\x00e\\x00r\\x00s\\x00i\\x00o\\x00n\\x00>\\x001\\x000\\x00.\\x000\\x00<\\x00/\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00N\\x00T\\x00V\\x00e\\x00r\\x00s\\x00i\\x00o\\x00n\\x00>\\x00"
              },
              {
                "name": "Length",
                "value": "82"
              }
            ],
            "repeated": 0,
            "id": 2490
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\r\\x00\n\\x00"
              },
              {
                "name": "Length",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2491
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\t\\x00"
              },
              {
                "name": "Length",
                "value": "2"
              }
            ],
            "repeated": 1,
            "id": 2492
          },
          {
            "timestamp": "2026-04-16 20:00:23,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "<\\x00B\\x00u\\x00i\\x00l\\x00d\\x00>\\x001\\x009\\x000\\x004\\x005\\x00<\\x00/\\x00B\\x00u\\x00i\\x00l\\x00d\\x00>\\x00"
              },
              {
                "name": "Length",
                "value": "40"
              }
            ],
            "repeated": 0,
            "id": 2493
          },
          {
            "timestamp": "2026-04-16 20:00:23,158",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\r\\x00\n\\x00"
              },
              {
                "name": "Length",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2494
          },
          {
            "timestamp": "2026-04-16 20:00:23,158",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\t\\x00"
              },
              {
                "name": "Length",
                "value": "2"
              }
            ],
            "repeated": 1,
            "id": 2495
          },
          {
            "timestamp": "2026-04-16 20:00:23,158",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "<\\x00P\\x00r\\x00o\\x00d\\x00u\\x00c\\x00t\\x00>\\x00(\\x000\\x00x\\x003\\x000\\x00)\\x00:\\x00 \\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00 \\x001\\x000\\x00 \\x00P\\x00r\\x00o\\x00<\\x00/\\x00P\\x00r\\x00o\\x00d\\x00u\\x00c\\x00t\\x00>\\x00"
              },
              {
                "name": "Length",
                "value": "82"
              }
            ],
            "repeated": 0,
            "id": 2496
          },
          {
            "timestamp": "2026-04-16 20:00:23,158",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\r\\x00\n\\x00"
              },
              {
                "name": "Length",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2497
          },
          {
            "timestamp": "2026-04-16 20:00:23,158",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\t\\x00"
              },
              {
                "name": "Length",
                "value": "2"
              }
            ],
            "repeated": 1,
            "id": 2498
          },
          {
            "timestamp": "2026-04-16 20:00:23,158",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "<\\x00E\\x00d\\x00i\\x00t\\x00i\\x00o\\x00n\\x00>\\x00P\\x00r\\x00o\\x00f\\x00e\\x00s\\x00s\\x00i\\x00o\\x00n\\x00a\\x00l\\x00<\\x00/\\x00E\\x00d\\x00i\\x00t\\x00i\\x00o\\x00n\\x00>\\x00"
              },
              {
                "name": "Length",
                "value": "62"
              }
            ],
            "repeated": 0,
            "id": 2499
          },
          {
            "timestamp": "2026-04-16 20:00:23,158",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\r\\x00\n\\x00"
              },
              {
                "name": "Length",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2500
          },
          {
            "timestamp": "2026-04-16 20:00:23,158",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\t\\x00"
              },
              {
                "name": "Length",
                "value": "2"
              }
            ],
            "repeated": 1,
            "id": 2501
          },
          {
            "timestamp": "2026-04-16 20:00:23,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "<\\x00B\\x00u\\x00i\\x00l\\x00d\\x00S\\x00t\\x00r\\x00i\\x00n\\x00g\\x00>\\x001\\x009\\x000\\x004\\x001\\x00.\\x002\\x000\\x000\\x006\\x00.\\x00a\\x00m\\x00d\\x006\\x004\\x00f\\x00r\\x00e\\x00.\\x00v\\x00b\\x00_\\x00r\\x00e\\x00l\\x00e\\x00a\\x00s\\x00e\\x00.\\x001\\x009\\x001\\x002\\x000\\x006\\x00-\\x001\\x004\\x000\\x006\\x00<\\x00/\\x00B\\x00u\\x00i\\x00l\\x00d\\x00S\\x00t\\x00r\\x00i\\x00n\\x00g\\x00>\\x00"
              },
              {
                "name": "Length",
                "value": "138"
              }
            ],
            "repeated": 0,
            "id": 2502
          },
          {
            "timestamp": "2026-04-16 20:00:23,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\r\\x00\n\\x00"
              },
              {
                "name": "Length",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2503
          },
          {
            "timestamp": "2026-04-16 20:00:23,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\t\\x00"
              },
              {
                "name": "Length",
                "value": "2"
              }
            ],
            "repeated": 1,
            "id": 2504
          },
          {
            "timestamp": "2026-04-16 20:00:23,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "<\\x00R\\x00e\\x00v\\x00i\\x00s\\x00i\\x00o\\x00n\\x00>\\x002\\x000\\x000\\x006\\x00<\\x00/\\x00R\\x00e\\x00v\\x00i\\x00s\\x00i\\x00o\\x00n\\x00>\\x00"
              },
              {
                "name": "Length",
                "value": "50"
              }
            ],
            "repeated": 0,
            "id": 2505
          },
          {
            "timestamp": "2026-04-16 20:00:23,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\r\\x00\n\\x00"
              },
              {
                "name": "Length",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2506
          },
          {
            "timestamp": "2026-04-16 20:00:23,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\t\\x00"
              },
              {
                "name": "Length",
                "value": "2"
              }
            ],
            "repeated": 1,
            "id": 2507
          },
          {
            "timestamp": "2026-04-16 20:00:23,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "<\\x00F\\x00l\\x00a\\x00v\\x00o\\x00r\\x00>\\x00M\\x00u\\x00l\\x00t\\x00i\\x00p\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00o\\x00r\\x00 \\x00F\\x00r\\x00e\\x00e\\x00<\\x00/\\x00F\\x00l\\x00a\\x00v\\x00o\\x00r\\x00>\\x00"
              },
              {
                "name": "Length",
                "value": "72"
              }
            ],
            "repeated": 0,
            "id": 2508
          },
          {
            "timestamp": "2026-04-16 20:00:23,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\r\\x00\n\\x00"
              },
              {
                "name": "Length",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2509
          },
          {
            "timestamp": "2026-04-16 20:00:23,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\t\\x00"
              },
              {
                "name": "Length",
                "value": "2"
              }
            ],
            "repeated": 1,
            "id": 2510
          },
          {
            "timestamp": "2026-04-16 20:00:23,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "<\\x00A\\x00r\\x00c\\x00h\\x00i\\x00t\\x00e\\x00c\\x00t\\x00u\\x00r\\x00e\\x00>\\x00X\\x006\\x004\\x00<\\x00/\\x00A\\x00r\\x00c\\x00h\\x00i\\x00t\\x00e\\x00c\\x00t\\x00u\\x00r\\x00e\\x00>\\x00"
              },
              {
                "name": "Length",
                "value": "64"
              }
            ],
            "repeated": 0,
            "id": 2511
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\r\\x00\n\\x00"
              },
              {
                "name": "Length",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2512
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\t\\x00"
              },
              {
                "name": "Length",
                "value": "2"
              }
            ],
            "repeated": 1,
            "id": 2513
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "<\\x00L\\x00C\\x00I\\x00D\\x00>\\x001\\x000\\x004\\x009\\x00<\\x00/\\x00L\\x00C\\x00I\\x00D\\x00>\\x00"
              },
              {
                "name": "Length",
                "value": "34"
              }
            ],
            "repeated": 0,
            "id": 2514
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "synchronization",
            "api": "NtOpenEvent",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f8"
              },
              {
                "name": "EventName",
                "value": "\\KernelObjects\\MemoryErrors"
              }
            ],
            "repeated": 0,
            "id": 2515
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f8"
              }
            ],
            "repeated": 0,
            "id": 2516
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\r\\x00\n\\x00"
              },
              {
                "name": "Length",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2517
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\t\\x00"
              },
              {
                "name": "Length",
                "value": "2"
              }
            ],
            "repeated": 0,
            "id": 2518
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "<\\x00/\\x00O\\x00S\\x00V\\x00e\\x00r\\x00s\\x00i\\x00o\\x00n\\x00I\\x00n\\x00f\\x00o\\x00r\\x00m\\x00a\\x00t\\x00i\\x00o\\x00n\\x00>\\x00"
              },
              {
                "name": "Length",
                "value": "46"
              }
            ],
            "repeated": 0,
            "id": 2519
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "windows.storage.dll"
              }
            ],
            "repeated": 0,
            "id": 2520
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\windows.storage.dll"
              }
            ],
            "repeated": 0,
            "id": 2521
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002f8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\windows.storage.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2522
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000002fc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000002f8"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\windows.storage.dll"
              }
            ],
            "repeated": 0,
            "id": 2523
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000002fc"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75700000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x0060d000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2524
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75ca5000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00002000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2525
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2526
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2527
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75c9f000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2528
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "Wldp.dll"
              }
            ],
            "repeated": 0,
            "id": 2529
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002fc"
              }
            ],
            "repeated": 0,
            "id": 2530
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f8"
              }
            ],
            "repeated": 0,
            "id": 2531
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Wldp.dll"
              }
            ],
            "repeated": 0,
            "id": 2532
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\wldp.dll"
              }
            ],
            "repeated": 0,
            "id": 2533
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002f8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\wldp.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2534
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000002fc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000002f8"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\wldp.dll"
              }
            ],
            "repeated": 0,
            "id": 2535
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000002fc"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x756d0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00027000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2536
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x756f2000"
              },
              {
                "name": "ModuleName",
                "value": "Wldp.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2537
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2538
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2539
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x756f0000"
              },
              {
                "name": "ModuleName",
                "value": "Wldp.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2540
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002fc"
              }
            ],
            "repeated": 0,
            "id": 2541
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f8"
              }
            ],
            "repeated": 0,
            "id": 2542
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75c9f000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2543
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "35"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x02\\x00\\x00\\x00X#]\\x00a\\x00m\\x00\\x02\\x00\\x00\\x00\\xd0#]\\x00\\\\x00M\\x00\\x02\\x00\\x00\\x00\\xa8!]\\x00s\\x00o\\x00\\x02\\x00\\x00\\x00\\x00$]\\x00i\\x00n\\x00\\x02\\x00\\x00\\x00H$]\\x00\\\\x00W\\x00\\x02\\x00\\x00\\x00\\xc0!]\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2544
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x756f0000"
              },
              {
                "name": "ModuleName",
                "value": "Wldp.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2545
          },
          {
            "timestamp": "2026-04-16 20:00:23,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\Wldp"
              },
              {
                "name": "DllBase",
                "value": "0x756d0000"
              }
            ],
            "repeated": 0,
            "id": 2546
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\windows.storage"
              },
              {
                "name": "DllBase",
                "value": "0x75700000"
              }
            ],
            "repeated": 0,
            "id": 2547
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "api-ms-win-eventing-provider-l1-1-0.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              }
            ],
            "repeated": 0,
            "id": 2548
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNELBASE.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              },
              {
                "name": "FunctionName",
                "value": "EventSetInformation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e70b80"
              }
            ],
            "repeated": 0,
            "id": 2549
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\wldp"
              },
              {
                "name": "BaseAddress",
                "value": "0x756d0000"
              },
              {
                "name": "InitRoutine",
                "value": "0x756d8bd0"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 2550
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "api-ms-win-core-synch-l1-2-0.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              }
            ],
            "repeated": 0,
            "id": 2551
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNELBASE.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              },
              {
                "name": "FunctionName",
                "value": "InitializeConditionVariable"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea4e10"
              }
            ],
            "repeated": 0,
            "id": 2552
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNELBASE.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              },
              {
                "name": "FunctionName",
                "value": "SleepConditionVariableCS"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77308040"
              }
            ],
            "repeated": 0,
            "id": 2553
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNELBASE.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77150000"
              },
              {
                "name": "FunctionName",
                "value": "WakeAllConditionVariable"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eaa570"
              }
            ],
            "repeated": 0,
            "id": 2554
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75ca5000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2555
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75ca5000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2556
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2557
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlRegisterFeatureConfigurationChangeNotification"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e724f0"
              }
            ],
            "repeated": 0,
            "id": 2558
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQueryWnfStateData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb40c0"
              }
            ],
            "repeated": 0,
            "id": 2559
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlSubscribeWnfStateChangeNotification"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e70780"
              }
            ],
            "repeated": 0,
            "id": 2560
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDisownModuleHeapAllocation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eac2a0"
              }
            ],
            "repeated": 0,
            "id": 2561
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlQueryFeatureConfiguration"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea52e0"
              }
            ],
            "repeated": 0,
            "id": 2562
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 2563
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "synchronization",
            "api": "NtCreateMutant",
            "status": true,
            "return": "0x40000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000031c"
              },
              {
                "name": "MutexName",
                "value": "Local\\SM0:3832:168:WilStaging_02"
              },
              {
                "name": "InitialOwner",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2564
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000031c"
              },
              {
                "name": "Milliseconds",
                "value": "18446744073709551615"
              },
              {
                "name": "Status",
                "value": "Infinite"
              }
            ],
            "repeated": 0,
            "id": 2565
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2566
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000320"
              },
              {
                "name": "Milliseconds",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2567
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000320"
              }
            ],
            "repeated": 0,
            "id": 2568
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000031c"
              }
            ],
            "repeated": 1,
            "id": 2569
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\windows.storage"
              },
              {
                "name": "BaseAddress",
                "value": "0x75700000"
              },
              {
                "name": "InitRoutine",
                "value": "0x758db920"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 2570
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2571
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2572
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75ca5000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2573
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75ca5000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2574
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000032c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000006"
              },
              {
                "name": "ObjectAttributes",
                "value": "windows_shell_global_counters"
              }
            ],
            "repeated": 0,
            "id": 2575
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000032c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x039f0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x03dfe71c"
              },
              {
                "name": "ViewSize",
                "value": "0x00001000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2576
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000008"
              },
              {
                "name": "TokenHandle",
                "value": "0x00000330"
              }
            ],
            "repeated": 0,
            "id": 2577
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "29"
              },
              {
                "name": "TokenInformation",
                "value": "\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2578
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75ca5000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2579
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75ca5000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2580
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "25"
              },
              {
                "name": "TokenInformation",
                "value": "\\xf0\\xe6\\xdf\\x03`\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2581
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2582
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000334"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions"
              }
            ],
            "repeated": 0,
            "id": 2583
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75ca5000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2584
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75ca5000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2585
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000334"
              },
              {
                "name": "ObjectAttributesName",
                "value": "{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
              }
            ],
            "repeated": 0,
            "id": 2586
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000334"
              }
            ],
            "repeated": 0,
            "id": 2587
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "Category"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Category"
              }
            ],
            "repeated": 0,
            "id": 2588
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "Name"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Cache"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Name"
              }
            ],
            "repeated": 0,
            "id": 2589
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "ParentFolder"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\ParentFolder"
              }
            ],
            "repeated": 0,
            "id": 2590
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "Description"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Description"
              }
            ],
            "repeated": 0,
            "id": 2591
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "RelativePath"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Microsoft\\Windows\\INetCache"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\RelativePath"
              }
            ],
            "repeated": 0,
            "id": 2592
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "ParsingName"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\ParsingName"
              }
            ],
            "repeated": 0,
            "id": 2593
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "InfoTip"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\InfoTip"
              }
            ],
            "repeated": 0,
            "id": 2594
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "LocalizedName"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\LocalizedName"
              }
            ],
            "repeated": 0,
            "id": 2595
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "Icon"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Icon"
              }
            ],
            "repeated": 0,
            "id": 2596
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "Security"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Security"
              }
            ],
            "repeated": 0,
            "id": 2597
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "StreamResource"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\StreamResource"
              }
            ],
            "repeated": 0,
            "id": 2598
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "StreamResourceType"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\StreamResourceType"
              }
            ],
            "repeated": 0,
            "id": 2599
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "LocalRedirectOnly"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\LocalRedirectOnly"
              }
            ],
            "repeated": 0,
            "id": 2600
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "Roamable"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Roamable"
              }
            ],
            "repeated": 0,
            "id": 2601
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "PreCreate"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\PreCreate"
              }
            ],
            "repeated": 0,
            "id": 2602
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "Stream"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Stream"
              }
            ],
            "repeated": 0,
            "id": 2603
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "PublishExpandedPath"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\PublishExpandedPath"
              }
            ],
            "repeated": 0,
            "id": 2604
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "DefinitionFlags"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\DefinitionFlags"
              }
            ],
            "repeated": 0,
            "id": 2605
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "Attributes"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Attributes"
              }
            ],
            "repeated": 0,
            "id": 2606
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "FolderTypeID"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\FolderTypeID"
              }
            ],
            "repeated": 0,
            "id": 2607
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "ValueName",
                "value": "InitFolderHandler"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\InitFolderHandler"
              }
            ],
            "repeated": 0,
            "id": 2608
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75ca5000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2609
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75ca5000"
              },
              {
                "name": "ModuleName",
                "value": "windows.storage.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2610
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000338"
              },
              {
                "name": "ObjectAttributesName",
                "value": "PropertyBag"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\PropertyBag"
              }
            ],
            "repeated": 0,
            "id": 2611
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000338"
              }
            ],
            "repeated": 0,
            "id": 2612
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2613
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000338"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer"
              }
            ],
            "repeated": 0,
            "id": 2614
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000334"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000338"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SessionInfo\\1"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1"
              }
            ],
            "repeated": 0,
            "id": 2615
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000334"
              },
              {
                "name": "ObjectAttributesName",
                "value": "KnownFolders"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders"
              }
            ],
            "repeated": 0,
            "id": 2616
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000334"
              }
            ],
            "repeated": 0,
            "id": 2617
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "1"
              },
              {
                "name": "TokenInformation",
                "value": "\\xf4\\xe4\\xdf\\x03\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00\\xfe\\xff\\xff\\xfft\\xe5\\xdf\\x03\\xe6\\xec}u\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf5\\xec}u\\x10\\xb0uu\\x98\\xe5\\xdf\\x03\\x94\\xe5\\xdf\\x03\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2618
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000334"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER"
              }
            ],
            "repeated": 0,
            "id": 2619
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000033c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000334"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders"
              }
            ],
            "repeated": 0,
            "id": 2620
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000334"
              }
            ],
            "repeated": 0,
            "id": 2621
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000033c"
              },
              {
                "name": "ValueName",
                "value": "Cache"
              },
              {
                "name": "Type",
                "value": "2",
                "pretty_value": "REG_EXPAND_SZ"
              },
              {
                "name": "Information",
                "value": "%USERPROFILE%\\AppData\\Local\\Microsoft\\Windows\\INetCache"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Cache"
              }
            ],
            "repeated": 0,
            "id": 2622
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000022c"
              },
              {
                "name": "ValueName",
                "value": "ru-RU"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru-RU"
              }
            ],
            "repeated": 0,
            "id": 2623
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000022c"
              },
              {
                "name": "ValueName",
                "value": "ru"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "{0000004A-57EE-1E5C-00B4-D0000BB1E11E}"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru"
              }
            ],
            "repeated": 0,
            "id": 2624
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000330"
              }
            ],
            "repeated": 0,
            "id": 2625
          },
          {
            "timestamp": "2026-04-16 20:00:23,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000033c"
              }
            ],
            "repeated": 0,
            "id": 2626
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "kernel.appcore.dll"
              }
            ],
            "repeated": 0,
            "id": 2627
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\kernel.appcore.dll"
              }
            ],
            "repeated": 0,
            "id": 2628
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000033c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\kernel.appcore.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2629
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000330"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000033c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\kernel.appcore.dll"
              }
            ],
            "repeated": 0,
            "id": 2630
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000330"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75250000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x0000f000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2631
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x7525c000"
              },
              {
                "name": "ModuleName",
                "value": "kernel.appcore.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2632
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2633
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2634
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75259000"
              },
              {
                "name": "ModuleName",
                "value": "kernel.appcore.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2635
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000330"
              }
            ],
            "repeated": 0,
            "id": 2636
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000033c"
              }
            ],
            "repeated": 0,
            "id": 2637
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75259000"
              },
              {
                "name": "ModuleName",
                "value": "kernel.appcore.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2638
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\kernel.appcore"
              },
              {
                "name": "DllBase",
                "value": "0x75250000"
              }
            ],
            "repeated": 0,
            "id": 2639
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0xffffffff87b34a01",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\kernel.appcore"
              },
              {
                "name": "BaseAddress",
                "value": "0x75250000"
              },
              {
                "name": "InitRoutine",
                "value": "0x752547e0"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 2640
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2641
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2642
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000218"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000008"
              },
              {
                "name": "TokenHandle",
                "value": "0x0000033c"
              }
            ],
            "repeated": 0,
            "id": 2643
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": false,
            "return": "0xffffffffc0000023",
            "pretty_return": "BUFFER_TOO_SMALL",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "39"
              },
              {
                "name": "TokenInformation",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 2644
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "39"
              },
              {
                "name": "TokenInformation",
                "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00T\\xcf]\\x00 \\x00 \\x00l\\xcf]\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x90\\xcf]\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x00\\x00\\x00\\x00K\\x00\\x00\\x00\\x00\\x00\\x00\\x00)t\\x11\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2645
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000033c"
              }
            ],
            "repeated": 0,
            "id": 2646
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 2647
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\r\\x00\n\\x00"
              },
              {
                "name": "Length",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2648
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\t\\x00"
              },
              {
                "name": "Length",
                "value": "2"
              }
            ],
            "repeated": 0,
            "id": 2649
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "<\\x00P\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00I\\x00n\\x00f\\x00o\\x00r\\x00m\\x00a\\x00t\\x00i\\x00o\\x00n\\x00>\\x00"
              },
              {
                "name": "Length",
                "value": "40"
              }
            ],
            "repeated": 0,
            "id": 2650
          },
          {
            "timestamp": "2026-04-16 20:00:23,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "Buffer",
                "value": "\r\\x00\n\\x00"
              },
              {
                "name": "Length",
                "value": "4"
              },
              {
                "name": "Status",
                "value": "Maximum logged writes reached for this file"
              }
            ],
            "repeated": 0,
            "id": 2651
          },
          {
            "timestamp": "2026-04-16 20:00:23,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00120089",
                "pretty_value": "FILE_GENERIC_READ"
              },
              {
                "name": "FileName",
                "value": "\\Device\\IPT"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2652
          },
          {
            "timestamp": "2026-04-16 20:00:23,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenProcess",
            "status": false,
            "return": "0xffffffffc0000022",
            "pretty_return": "ACCESS_DENIED",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000410",
                "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION"
              },
              {
                "name": "ProcessIdentifier",
                "value": "7304"
              }
            ],
            "repeated": 0,
            "id": 2653
          },
          {
            "timestamp": "2026-04-16 20:00:23,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "Kernel32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 2654
          },
          {
            "timestamp": "2026-04-16 20:00:23,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "QueryActCtxW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ac8760"
              }
            ],
            "repeated": 0,
            "id": 2655
          },
          {
            "timestamp": "2026-04-16 20:00:23,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "GetModuleHandleExW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad1640"
              }
            ],
            "repeated": 0,
            "id": 2656
          },
          {
            "timestamp": "2026-04-16 20:00:23,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "CreateActCtxW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad1f40"
              }
            ],
            "repeated": 0,
            "id": 2657
          },
          {
            "timestamp": "2026-04-16 20:00:23,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000033c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
              }
            ],
            "repeated": 0,
            "id": 2658
          },
          {
            "timestamp": "2026-04-16 20:00:23,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000033c"
              },
              {
                "name": "ValueName",
                "value": "PreferExternalManifest"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"
              }
            ],
            "repeated": 0,
            "id": 2659
          },
          {
            "timestamp": "2026-04-16 20:00:23,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000033c"
              }
            ],
            "repeated": 0,
            "id": 2660
          },
          {
            "timestamp": "2026-04-16 20:00:23,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x001200a9",
                "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\wer.dll.3.Manifest"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2661
          },
          {
            "timestamp": "2026-04-16 20:00:23,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "ActivateActCtx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad0ac0"
              }
            ],
            "repeated": 0,
            "id": 2662
          },
          {
            "timestamp": "2026-04-16 20:00:23,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "FindActCtxSectionStringW"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ac8900"
              }
            ],
            "repeated": 0,
            "id": 2663
          },
          {
            "timestamp": "2026-04-16 20:00:24,018",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d\\Comctl32"
              },
              {
                "name": "DllBase",
                "value": "0x6fd80000"
              }
            ],
            "repeated": 0,
            "id": 2664
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "imm32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x774e0000"
              }
            ],
            "repeated": 0,
            "id": 2665
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "Comctl32.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fd80000"
              }
            ],
            "repeated": 0,
            "id": 2666
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              },
              {
                "name": "FunctionName",
                "value": "DeactivateActCtx"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x76ad0aa0"
              }
            ],
            "repeated": 0,
            "id": 2667
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "phoneinfo.dll"
              }
            ],
            "repeated": 0,
            "id": 2668
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\phoneinfo.dll"
              }
            ],
            "repeated": 0,
            "id": 2669
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2670
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 2671
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "MachineID"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineID"
              }
            ],
            "repeated": 0,
            "id": 2672
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "MachineID"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "{DEA0B215-B8D4-44C0-B1F3-E3A7DA9D6FC6}"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineID"
              }
            ],
            "repeated": 0,
            "id": 2673
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2674
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": false,
            "return": "0xffffffffffffffff",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\drivers\\*.mrk"
              }
            ],
            "repeated": 0,
            "id": 2675
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2676
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\Platform\\DeviceTargetingInfo"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\Platform\\DeviceTargetingInfo"
              }
            ],
            "repeated": 0,
            "id": 2677
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2678
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\CurrentControlSet\\Control\\SystemInformation"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemInformation"
              }
            ],
            "repeated": 0,
            "id": 2679
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "SystemManufacturer"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer"
              }
            ],
            "repeated": 0,
            "id": 2680
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "SystemManufacturer"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "QEMU"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer"
              }
            ],
            "repeated": 0,
            "id": 2681
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "BIOSVersion"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion"
              }
            ],
            "repeated": 0,
            "id": 2682
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "BIOSVersion"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "rel-1.16.3-0-ga6ed6b7-prebuilt.qemu.org"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion"
              }
            ],
            "repeated": 0,
            "id": 2683
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "SystemProductName"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName"
              }
            ],
            "repeated": 0,
            "id": 2684
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "SystemProductName"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Standard PC (Q35 + ICH9, 2009)"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName"
              }
            ],
            "repeated": 0,
            "id": 2685
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2686
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2687
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              }
            ],
            "repeated": 0,
            "id": 2688
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "InstallDate"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1772654483"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\InstallDate"
              }
            ],
            "repeated": 0,
            "id": 2689
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2690
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2691
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\WindowsUpdate\\Orchestrator\\Installation\\Target"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsUpdate\\Orchestrator\\Installation\\Target"
              }
            ],
            "repeated": 0,
            "id": 2692
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2693
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Shell\\OOBE"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Shell\\OOBE"
              }
            ],
            "repeated": 0,
            "id": 2694
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2695
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\OOBE\\Stats"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\OOBE\\Stats"
              }
            ],
            "repeated": 0,
            "id": 2696
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "EndTimeStamp"
              },
              {
                "name": "Type",
                "value": "3",
                "pretty_value": "REG_BINARY"
              },
              {
                "name": "Information",
                "value": "\\xea\\x07\\x03\\x00\\x03\\x00\\x04\\x00\\x14\\x00\\x00\\x00\\x15\\x00L\\x03"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\Stats\\EndTimeStamp"
              }
            ],
            "repeated": 0,
            "id": 2697
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2698
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "NtQuerySystemInformation",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemInformationClass",
                "value": "44"
              }
            ],
            "repeated": 0,
            "id": 2699
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 2700
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlGetSystemTimeAndBias"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ec7190"
              }
            ],
            "repeated": 0,
            "id": 2701
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\tzres.dll"
              }
            ],
            "repeated": 0,
            "id": 2702
          },
          {
            "timestamp": "2026-04-16 20:00:24,205",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\tzres.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2703
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000334"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000005",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\tzres.dll"
              }
            ],
            "repeated": 0,
            "id": 2704
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x40000003",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000334"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03c60000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00003000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2705
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000334"
              }
            ],
            "repeated": 0,
            "id": 2706
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2707
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
              }
            ],
            "repeated": 0,
            "id": 2708
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "Latest"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest"
              }
            ],
            "repeated": 0,
            "id": 2709
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2710
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\tzres.dll.mui"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2711
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000334"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "FileName",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\tzres.dll.mui"
              }
            ],
            "repeated": 0,
            "id": 2712
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000334"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03c70000"
              },
              {
                "name": "SectionOffset",
                "value": "0x03dfdab0"
              },
              {
                "name": "ViewSize",
                "value": "0x0000e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2713
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000334"
              }
            ],
            "repeated": 0,
            "id": 2714
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03c70000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              }
            ],
            "repeated": 0,
            "id": 2715
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2716
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\ru-RU\\tzres.dll.mui"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2717
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\sysnative\\ru-RU\\tzres.dll.mui"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2718
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000340"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\ru-RU\\tzres.dll.mui"
              }
            ],
            "repeated": 0,
            "id": 2719
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000340"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03c70000"
              },
              {
                "name": "SectionOffset",
                "value": "0x03dfdab0"
              },
              {
                "name": "ViewSize",
                "value": "0x0000b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2720
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000340"
              }
            ],
            "repeated": 0,
            "id": 2721
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03c70000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000b000"
              }
            ],
            "repeated": 0,
            "id": 2722
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2723
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03c60000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              }
            ],
            "repeated": 0,
            "id": 2724
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\tzres.dll"
              }
            ],
            "repeated": 0,
            "id": 2725
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\tzres.dll"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2726
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000340"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000005",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\tzres.dll"
              }
            ],
            "repeated": 0,
            "id": 2727
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x40000003",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000340"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03c60000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00003000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2728
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000340"
              }
            ],
            "repeated": 0,
            "id": 2729
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2730
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU"
              }
            ],
            "repeated": 0,
            "id": 2731
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002f0"
              },
              {
                "name": "ValueName",
                "value": "Latest"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest"
              }
            ],
            "repeated": 0,
            "id": 2732
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2733
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\tzres.dll.mui"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2734
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000340"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "FileName",
                "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\tzres.dll.mui"
              }
            ],
            "repeated": 0,
            "id": 2735
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000340"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03c70000"
              },
              {
                "name": "SectionOffset",
                "value": "0x03dfdab0"
              },
              {
                "name": "ViewSize",
                "value": "0x0000e000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2736
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000340"
              }
            ],
            "repeated": 0,
            "id": 2737
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03c70000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000e000"
              }
            ],
            "repeated": 0,
            "id": 2738
          },
          {
            "timestamp": "2026-04-16 20:00:24,221",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2739
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\ru-RU\\tzres.dll.mui"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2740
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000330"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100001",
                "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\sysnative\\ru-RU\\tzres.dll.mui"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2741
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000002e0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x000f0005",
                "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000330"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\ru-RU\\tzres.dll.mui"
              }
            ],
            "repeated": 0,
            "id": 2742
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000002e0"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03c70000"
              },
              {
                "name": "SectionOffset",
                "value": "0x03dfdab0"
              },
              {
                "name": "ViewSize",
                "value": "0x0000b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2743
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e0"
              }
            ],
            "repeated": 0,
            "id": 2744
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03c70000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000b000"
              }
            ],
            "repeated": 0,
            "id": 2745
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000330"
              }
            ],
            "repeated": 0,
            "id": 2746
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03c60000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              }
            ],
            "repeated": 0,
            "id": 2747
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2748
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\CurrentControlSet\\Services\\DAM\\PowerEvents"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DAM\\PowerEvents"
              }
            ],
            "repeated": 0,
            "id": 2749
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2750
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\CurrentControlSet\\Services\\DAM\\PowerEvents"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DAM\\PowerEvents"
              }
            ],
            "repeated": 0,
            "id": 2751
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2752
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\CurrentControlSet\\Services\\DAM\\PowerEvents"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DAM\\PowerEvents"
              }
            ],
            "repeated": 0,
            "id": 2753
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2754
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\CurrentControlSet\\Services\\DAM\\PowerEvents"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DAM\\PowerEvents"
              }
            ],
            "repeated": 0,
            "id": 2755
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2756
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\State"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\State"
              }
            ],
            "repeated": 0,
            "id": 2757
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2758
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000330"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\CurrentControlSet\\Control"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control"
              }
            ],
            "repeated": 0,
            "id": 2759
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000330"
              },
              {
                "name": "ValueName",
                "value": "ContainerType"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ContainerType"
              }
            ],
            "repeated": 0,
            "id": 2760
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000330"
              }
            ],
            "repeated": 0,
            "id": 2761
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2762
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000330"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\CurrentControlSet\\Control"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control"
              }
            ],
            "repeated": 0,
            "id": 2763
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000330"
              },
              {
                "name": "ValueName",
                "value": "ContainerId"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ContainerId"
              }
            ],
            "repeated": 0,
            "id": 2764
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000330"
              }
            ],
            "repeated": 0,
            "id": 2765
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "GetSystemTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 1,
            "id": 2766
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ec"
              }
            ],
            "repeated": 0,
            "id": 2767
          },
          {
            "timestamp": "2026-04-16 20:00:24,236",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              }
            ],
            "repeated": 0,
            "id": 2768
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002ec"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100081",
                "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2769
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ec"
              }
            ],
            "repeated": 0,
            "id": 2770
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2771
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\TelemetryClient\\Debug"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelemetryClient\\Debug"
              }
            ],
            "repeated": 0,
            "id": 2772
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2773
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\TelemetryClient\\Debug"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelemetryClient\\Debug"
              }
            ],
            "repeated": 0,
            "id": 2774
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2775
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\TelemetryClient\\Debug"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelemetryClient\\Debug"
              }
            ],
            "repeated": 0,
            "id": 2776
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2777
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\TelemetryClient\\Debug"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelemetryClient\\Debug"
              }
            ],
            "repeated": 0,
            "id": 2778
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2779
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000330"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 2780
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000330"
              },
              {
                "name": "ValueName",
                "value": "MachineID"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineID"
              }
            ],
            "repeated": 0,
            "id": 2781
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000330"
              },
              {
                "name": "ValueName",
                "value": "MachineID"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "{DEA0B215-B8D4-44C0-B1F3-E3A7DA9D6FC6}"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineID"
              }
            ],
            "repeated": 0,
            "id": 2782
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000330"
              }
            ],
            "repeated": 0,
            "id": 2783
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "NETAPI32.dll"
              }
            ],
            "repeated": 0,
            "id": 2784
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\NETAPI32.dll"
              }
            ],
            "repeated": 0,
            "id": 2785
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\netapi32.dll"
              }
            ],
            "repeated": 0,
            "id": 2786
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\netapi32.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2787
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000340"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\netapi32.dll"
              }
            ],
            "repeated": 0,
            "id": 2788
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000340"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75470000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00014000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2789
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75481000"
              },
              {
                "name": "ModuleName",
                "value": "NETAPI32.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2790
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2791
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2792
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75480000"
              },
              {
                "name": "ModuleName",
                "value": "NETAPI32.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2793
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000340"
              }
            ],
            "repeated": 0,
            "id": 2794
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2795
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75480000"
              },
              {
                "name": "ModuleName",
                "value": "NETAPI32.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2796
          },
          {
            "timestamp": "2026-04-16 20:00:24,252",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\NETAPI32"
              },
              {
                "name": "DllBase",
                "value": "0x75470000"
              }
            ],
            "repeated": 0,
            "id": 2797
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\netapi32"
              },
              {
                "name": "BaseAddress",
                "value": "0x75470000"
              },
              {
                "name": "InitRoutine",
                "value": "0x75471de0"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 2798
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "DSREG.DLL"
              }
            ],
            "repeated": 0,
            "id": 2799
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\DSREG.DLL"
              }
            ],
            "repeated": 0,
            "id": 2800
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\dsreg.dll"
              }
            ],
            "repeated": 0,
            "id": 2801
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\dsreg.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2802
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000340"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\dsreg.dll"
              }
            ],
            "repeated": 0,
            "id": 2803
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000340"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75310000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00104000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2804
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x753f1000"
              },
              {
                "name": "ModuleName",
                "value": "DSREG.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2805
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2806
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2807
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x753ed000"
              },
              {
                "name": "ModuleName",
                "value": "DSREG.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2808
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "msvcp110_win.dll"
              }
            ],
            "repeated": 0,
            "id": 2809
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000340"
              }
            ],
            "repeated": 0,
            "id": 2810
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2811
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\msvcp110_win.dll"
              }
            ],
            "repeated": 0,
            "id": 2812
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\msvcp110_win.dll"
              }
            ],
            "repeated": 0,
            "id": 2813
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\msvcp110_win.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2814
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000340"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x000002f0"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\msvcp110_win.dll"
              }
            ],
            "repeated": 0,
            "id": 2815
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000340"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x752a0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00065000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2816
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2817
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2818
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x752ff000"
              },
              {
                "name": "ModuleName",
                "value": "msvcp110_win.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2819
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000340"
              }
            ],
            "repeated": 0,
            "id": 2820
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 2821
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x753ed000"
              },
              {
                "name": "ModuleName",
                "value": "DSREG.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2822
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "35"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\t\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00w\\x00s\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00W\\x00O\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00m\\x00s\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x001\\x000\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00.\\x00d\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2823
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x752ff000"
              },
              {
                "name": "ModuleName",
                "value": "msvcp110_win.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2824
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\msvcp110_win"
              },
              {
                "name": "DllBase",
                "value": "0x752a0000"
              }
            ],
            "repeated": 0,
            "id": 2825
          },
          {
            "timestamp": "2026-04-16 20:00:24,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\DSREG"
              },
              {
                "name": "DllBase",
                "value": "0x75310000"
              }
            ],
            "repeated": 0,
            "id": 2826
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\msvcp110_win"
              },
              {
                "name": "BaseAddress",
                "value": "0x752a0000"
              },
              {
                "name": "InitRoutine",
                "value": "0x752d6de0"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 2827
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\dsreg"
              },
              {
                "name": "BaseAddress",
                "value": "0x75310000"
              },
              {
                "name": "InitRoutine",
                "value": "0x753da040"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 2828
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2829
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2830
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2831
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\CurrentControlSet\\Control\\MiniNT"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNT"
              }
            ],
            "repeated": 0,
            "id": 2832
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x753f1000"
              },
              {
                "name": "ModuleName",
                "value": "DSREG.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2833
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x753f1000"
              },
              {
                "name": "ModuleName",
                "value": "DSREG.DLL"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2834
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2835
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\CurrentControlSet\\Services\\crypt32"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32"
              }
            ],
            "repeated": 0,
            "id": 2836
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "DiagLevel"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagLevel"
              }
            ],
            "repeated": 0,
            "id": 2837
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "ValueName",
                "value": "DiagMatchAnyMask"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagMatchAnyMask"
              }
            ],
            "repeated": 0,
            "id": 2838
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002e8"
              }
            ],
            "repeated": 0,
            "id": 2839
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2840
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000002e8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\CurrentControlSet\\Services\\crypt32"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32"
              }
            ],
            "repeated": 0,
            "id": 2841
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2842
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Cryptography\\OID"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID"
              }
            ],
            "repeated": 0,
            "id": 2843
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "Index",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2844
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "7760",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2c18",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 2845
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000360"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "EncodingType 0"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0"
              }
            ],
            "repeated": 0,
            "id": 2846
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale"
              }
            ],
            "repeated": 0,
            "id": 2847
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "en-US"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US"
              }
            ],
            "repeated": 0,
            "id": 2848
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "7760",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2849
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2850
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale"
              }
            ],
            "repeated": 0,
            "id": 2851
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "ValueName",
                "value": "en-US"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
              }
            ],
            "repeated": 0,
            "id": 2852
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2853
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000022c"
              },
              {
                "name": "ValueName",
                "value": "en-US"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US"
              }
            ],
            "repeated": 0,
            "id": 2854
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000022c"
              },
              {
                "name": "ValueName",
                "value": "en"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en"
              }
            ],
            "repeated": 0,
            "id": 2855
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000360"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CertDllOpenStoreProv"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv"
              }
            ],
            "repeated": 0,
            "id": 2856
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "Index",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 2857
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000368"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000364"
              },
              {
                "name": "ObjectAttributesName",
                "value": "#16"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\#16"
              }
            ],
            "repeated": 0,
            "id": 2858
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000368"
              },
              {
                "name": "KeyInformation",
                "value": "\\xffad\\xff85\\xff823\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00B\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2859
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000368"
              },
              {
                "name": "Index",
                "value": "0"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 2860
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000368"
              },
              {
                "name": "Index",
                "value": "1"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 2861
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000368"
              }
            ],
            "repeated": 0,
            "id": 2862
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "Index",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 2863
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000368"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000364"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Ldap"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\Ldap"
              }
            ],
            "repeated": 0,
            "id": 2864
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000368"
              },
              {
                "name": "KeyInformation",
                "value": "\\xffad\\xff85\\xff823\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00B\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 2865
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000368"
              },
              {
                "name": "Index",
                "value": "0"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 2866
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtEnumerateValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000368"
              },
              {
                "name": "Index",
                "value": "1"
              },
              {
                "name": "KeyValueInformationClass",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 2867
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000368"
              }
            ],
            "repeated": 0,
            "id": 2868
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": false,
            "return": "0xffffffff8000001a",
            "pretty_return": "NO_MORE_ENTRIES",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "Index",
                "value": "2"
              }
            ],
            "repeated": 0,
            "id": 2869
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2870
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000360"
              }
            ],
            "repeated": 0,
            "id": 2871
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "Index",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 2872
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000360"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "EncodingType 1"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1"
              }
            ],
            "repeated": 0,
            "id": 2873
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000360"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CertDllOpenStoreProv"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllOpenStoreProv"
              }
            ],
            "repeated": 0,
            "id": 2874
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000360"
              }
            ],
            "repeated": 0,
            "id": 2875
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": false,
            "return": "0xffffffff8000001a",
            "pretty_return": "NO_MORE_ENTRIES",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "Index",
                "value": "2"
              }
            ],
            "repeated": 0,
            "id": 2876
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2877
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2878
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\SystemCertificates\\My\\PhysicalStores"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\My\\PhysicalStores"
              }
            ],
            "repeated": 0,
            "id": 2879
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2880
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\SystemCertificates\\My"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\My"
              }
            ],
            "repeated": 0,
            "id": 2881
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2882
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2883
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\SystemCertificates\\My"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\My"
              }
            ],
            "repeated": 0,
            "id": 2884
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000360"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ObjectAttributesName",
                "value": ""
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\MY\\"
              }
            ],
            "repeated": 0,
            "id": 2885
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000360"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Certificates"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\MY\\Certificates"
              }
            ],
            "repeated": 0,
            "id": 2886
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "KeyInformation",
                "value": ";vP\\xff81\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 1,
            "id": 2887
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2888
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000360"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CRLs"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\MY\\CRLs"
              }
            ],
            "repeated": 0,
            "id": 2889
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "KeyInformation",
                "value": ";vP\\xff81\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 1,
            "id": 2890
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2891
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000360"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CTLs"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\MY\\CTLs"
              }
            ],
            "repeated": 0,
            "id": 2892
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "KeyInformation",
                "value": ";vP\\xff81\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 1,
            "id": 2893
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2894
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2895
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000360"
              }
            ],
            "repeated": 0,
            "id": 2896
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76d6e000"
              },
              {
                "name": "ModuleName",
                "value": "CRYPT32.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2897
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76d6e000"
              },
              {
                "name": "ModuleName",
                "value": "CRYPT32.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2898
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2899
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000360"
              }
            ],
            "repeated": 0,
            "id": 2900
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "29"
              },
              {
                "name": "TokenInformation",
                "value": "\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2901
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000360"
              }
            ],
            "repeated": 0,
            "id": 2902
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2903
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000360"
              }
            ],
            "repeated": 0,
            "id": 2904
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "29"
              },
              {
                "name": "TokenInformation",
                "value": "\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2905
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000360"
              }
            ],
            "repeated": 0,
            "id": 2906
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2907
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000360"
              }
            ],
            "repeated": 0,
            "id": 2908
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "29"
              },
              {
                "name": "TokenInformation",
                "value": "\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2909
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000360"
              }
            ],
            "repeated": 0,
            "id": 2910
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000008"
              },
              {
                "name": "TokenHandle",
                "value": "0x00000360"
              }
            ],
            "repeated": 0,
            "id": 2911
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "1"
              },
              {
                "name": "TokenInformation",
                "value": "\\x88\\xe6\\xdf\\x03\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xfbn:us+\\x00\\x10\\x00\\x00\\x00\\x00\\xd7+\\x00\\x103\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\xe0\\x03\\x00\\x00\\x00\\x00\\xa8\\xe6\\xdf\\x03d\\xff\\xdf\\x03x\\xee\\xdf\\x03s+\\x00\\x10\\xc8\\xfb\rt\\xd7+\\x00\\x10 \\xe7\\xdf\\x036\\xa7\\xecs\\xc0\\xab\\x0bt\\xc8M\\x13t$\\xfdv\\x02\\xc8\\xfb\rt\\x0fo:uT\\xe2\\xdf\\x03i\\xa7\\xeasx\\xee\\xdf\\x03\\xd0\\xa9\\x01t\\xa3\\xde\\xe8\\x02\\xfe\\xff\\xff\\xffl\\xe7\\xdf\\x03F\\xd9\\xeds5\\x00\\x00\\x00\\x8c\\xef\\x0bt\\xe0\\x14\\x0ct\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdb\\x14\\x0ct\\x98\\x12\\x0ct\\xff\\xff\\xff\\xff\\xc8\\xda\\x0bt\\x08\\x00\\x00\\x00\\xcc\\x14\\x0ct\\xac\\xe7\\xdf\\x03\\x14\\xea\\xcc\\xe7l\\xe7\\\\xe7\\xd0\\xe7\\x00\\x00\\xac\\xe9\\x00\\x00\\x14\\xea\\xdf\\x03\\xcc\\xe7\\xdf\\x03\\xd0\\xe7\\xdf\\x03\\x00\\x00\\x00\\x00\\x80\\xe7\\xdf\\x03\\xc4<&w\\xff\\xff\\xff\\xff\\x08\\x00\\x00\\x00\\xac\\xe7\\xdf\\x03"
              }
            ],
            "repeated": 0,
            "id": 2912
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000360"
              }
            ],
            "repeated": 0,
            "id": 2913
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2914
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000360"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000",
                "pretty_value": "MAXIMUM_ALLOWED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\REGISTRY\\USER"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_USERS"
              }
            ],
            "repeated": 0,
            "id": 2915
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 2916
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000",
                "pretty_value": "MAXIMUM_ALLOWED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000360"
              },
              {
                "name": "ObjectAttributesName",
                "value": "S-1-5-21-3749840076-4109591986-3192690632-1000"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER"
              }
            ],
            "repeated": 0,
            "id": 2917
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\SystemCertificates\\My\\PhysicalStores"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\SystemCertificates\\My\\PhysicalStores"
              }
            ],
            "repeated": 0,
            "id": 2918
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2919
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2920
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2921
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "29"
              },
              {
                "name": "TokenInformation",
                "value": "\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2922
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2923
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000008"
              },
              {
                "name": "TokenHandle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2924
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "1"
              },
              {
                "name": "TokenInformation",
                "value": "\\x88\\xe6\\xdf\\x03\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xfbn:us+\\x00\\x10\\x00\\x00\\x00\\x00\\xd7+\\x00\\x103\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\xe0\\x03\\x00\\x00\\x00\\x00\\xa8\\xe6\\xdf\\x03d\\xff\\xdf\\x03x\\xee\\xdf\\x03s+\\x00\\x10\\xc8\\xfb\rt\\xd7+\\x00\\x10 \\xe7\\xdf\\x036\\xa7\\xecs\\xc0\\xab\\x0bt\\xc8M\\x13t$\\xfdv\\x02\\xc8\\xfb\rt\\x0fo:uT\\xe2\\xdf\\x03i\\xa7\\xeasx\\xee\\xdf\\x03\\xd0\\xa9\\x01t\\xa3\\xde\\xe8\\x02\\xfe\\xff\\xff\\xffl\\xe7\\xdf\\x03F\\xd9\\xeds5\\x00\\x00\\x00\\x8c\\xef\\x0bt\\xe0\\x14\\x0ct\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdb\\x14\\x0ct\\x98\\x12\\x0ct\\xff\\xff\\xff\\xff\\xc8\\xda\\x0bt\\x08\\x00\\x00\\x00\\xcc\\x14\\x0ct\\xac\\xe7\\xdf\\x03\\x14\\xea\\xcc\\xe7l\\xe7\\\\xe7\\xd0\\xe7\\x00\\x00\\xac\\xe9\\x00\\x00\\x14\\xea\\xdf\\x03\\xcc\\xe7\\xdf\\x03\\xd0\\xe7\\xdf\\x03\\x00\\x00\\x00\\x00\\x80\\xe7\\xdf\\x03\\xc4<&w\\xff\\xff\\xff\\xff\\x08\\x00\\x00\\x00\\xac\\xe7\\xdf\\x03"
              }
            ],
            "repeated": 0,
            "id": 2925
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2926
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2927
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000",
                "pretty_value": "MAXIMUM_ALLOWED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000360"
              },
              {
                "name": "ObjectAttributesName",
                "value": "S-1-5-21-3749840076-4109591986-3192690632-1000"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER"
              }
            ],
            "repeated": 0,
            "id": 2928
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\SystemCertificates\\My"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\SystemCertificates\\My"
              }
            ],
            "repeated": 0,
            "id": 2929
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2930
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2931
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2932
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2933
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "29"
              },
              {
                "name": "TokenInformation",
                "value": "\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2934
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2935
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2936
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2937
          },
          {
            "timestamp": "2026-04-16 20:00:24,283",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "profapi.dll"
              }
            ],
            "repeated": 0,
            "id": 2938
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\profapi.dll"
              }
            ],
            "repeated": 0,
            "id": 2939
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\profapi.dll"
              }
            ],
            "repeated": 0,
            "id": 2940
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\profapi.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2941
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000368"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x0000035c"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\profapi.dll"
              }
            ],
            "repeated": 0,
            "id": 2942
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000368"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75260000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x00018000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2943
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75275000"
              },
              {
                "name": "ModuleName",
                "value": "profapi.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2944
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2945
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2946
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75273000"
              },
              {
                "name": "ModuleName",
                "value": "profapi.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2947
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000368"
              }
            ],
            "repeated": 0,
            "id": 2948
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2949
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75273000"
              },
              {
                "name": "ModuleName",
                "value": "profapi.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2950
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\profapi"
              },
              {
                "name": "DllBase",
                "value": "0x75260000"
              }
            ],
            "repeated": 0,
            "id": 2951
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\profapi"
              },
              {
                "name": "BaseAddress",
                "value": "0x75260000"
              },
              {
                "name": "InitRoutine",
                "value": "0x7526a250"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 2952
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76d6e000"
              },
              {
                "name": "ModuleName",
                "value": "CRYPT32.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2953
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x76d6e000"
              },
              {
                "name": "ModuleName",
                "value": "CRYPT32.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2954
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000008"
              },
              {
                "name": "TokenHandle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2955
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "1"
              },
              {
                "name": "TokenInformation",
                "value": "\\x18M^\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2956
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75275000"
              },
              {
                "name": "ModuleName",
                "value": "profapi.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2957
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x75275000"
              },
              {
                "name": "ModuleName",
                "value": "profapi.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2958
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2959
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2960
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000"
              }
            ],
            "repeated": 0,
            "id": 2961
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "ProfileImagePath"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000\\ProfileImagePath"
              }
            ],
            "repeated": 0,
            "id": 2962
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "ProfileImagePath"
              },
              {
                "name": "Type",
                "value": "2",
                "pretty_value": "REG_EXPAND_SZ"
              },
              {
                "name": "Information",
                "value": "C:\\Users\\cape"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000\\ProfileImagePath"
              }
            ],
            "repeated": 0,
            "id": 2963
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2964
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "10"
              },
              {
                "name": "TokenInformation",
                "value": "w}\\x13\\x00\\x00\\x00\\x00\\x00\\xcc\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x02\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xaeV\\x13\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2965
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2966
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2967
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2968
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "29"
              },
              {
                "name": "TokenInformation",
                "value": "\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 2969
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2970
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000008"
              },
              {
                "name": "TokenHandle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2971
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "1"
              },
              {
                "name": "TokenInformation",
                "value": "P\\xe5\\xdf\\x03\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xb3m:us+\\x00\\x10\\x00\\x00\\x00\\x00\\xd7+\\x00\\x100\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\xe0\\x03\\x00\\x00\\x00\\x00p\\xe5\\xdf\\x03d\\xff\\xdf\\x03x\\xee\\xdf\\x03s+\\x00\\x10\\xc8\\xfb\rt\\xd7+\\x00\\x10\\xe8\\xe5\\xdf\\x036\\xa7\\xecs\\xc0\\xab\\x0bt\\xc8M\\x13t$\\xfdv\\x02\\xc8\\xfb\rt\\xc7m:u\\x1c\\xe1\\xdf\\x03i\\xa7\\xeasx\\xee\\xdf\\x03\\xd0\\xa9\\x01t\\xa3\\xde\\xe8\\x02\\xfe\\xff\\xff\\xff4\\xe6\\xdf\\x03F\\xd9\\xeds5\\x00\\x00\\x00\\x8c\\xef\\x0bt\\xe0\\x14\\x0ct\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdb\\x14\\x0ct\\x98\\x12\\x0ct\\xff\\xff\\xff\\xff\\xc8\\xda\\x0bt\\x08\\x00\\x00\\x00\\xcc\\x14\\x0ctt\\xe6\\xdf\\x03\\xdc\\xe8\\x94\\xe64\\xe6$\\xe6\\x98\\xe6\\x00\\x00\\xac\\xe9\\x00\\x00\\xdc\\xe8\\xdf\\x03\\x94\\xe6\\xdf\\x03\\x98\\xe6\\xdf\\x03\\x00\\x00\\x00\\x00H\\xe6\\xdf\\x03\\xc4<&w\\xff\\xff\\xff\\xff\\x08\\x00\\x00\\x00t\\xe6\\xdf\\x03"
              }
            ],
            "repeated": 0,
            "id": 2972
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2973
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 2974
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000",
                "pretty_value": "MAXIMUM_ALLOWED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000360"
              },
              {
                "name": "ObjectAttributesName",
                "value": "S-1-5-21-3749840076-4109591986-3192690632-1000"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER"
              }
            ],
            "repeated": 0,
            "id": 2975
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000364"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\SystemCertificates\\My"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\SystemCertificates\\My"
              }
            ],
            "repeated": 0,
            "id": 2976
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2977
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000364"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020000",
                "pretty_value": "READ_CONTROL"
              },
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2978
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2979
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005da868",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xbb3c3250"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01dcac11"
              }
            ],
            "repeated": 0,
            "id": 2980
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2981
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ObjectAttributesName",
                "value": ""
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\SystemCertificates\\MY\\"
              }
            ],
            "repeated": 0,
            "id": 2982
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000364"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Certificates"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\SystemCertificates\\MY\\Certificates"
              }
            ],
            "repeated": 0,
            "id": 2983
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005daaa8",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xbb3c3250"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01dcac11"
              }
            ],
            "repeated": 0,
            "id": 2984
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000368"
              }
            ],
            "repeated": 0,
            "id": 2985
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000364"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CRLs"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\SystemCertificates\\MY\\CRLs"
              }
            ],
            "repeated": 0,
            "id": 2986
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005daaa8",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xbb3c3250"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01dcac11"
              }
            ],
            "repeated": 0,
            "id": 2987
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000368"
              }
            ],
            "repeated": 0,
            "id": 2988
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000364"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CTLs"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\SystemCertificates\\MY\\CTLs"
              }
            ],
            "repeated": 0,
            "id": 2989
          },
          {
            "timestamp": "2026-04-16 20:00:24,299",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005dad68",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Users\\cape\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xbb3c3250"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01dcac11"
              }
            ],
            "repeated": 0,
            "id": 2990
          },
          {
            "timestamp": "2026-04-16 20:00:24,314",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000368"
              }
            ],
            "repeated": 0,
            "id": 2991
          },
          {
            "timestamp": "2026-04-16 20:00:24,314",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 2992
          },
          {
            "timestamp": "2026-04-16 20:00:24,314",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 2993
          },
          {
            "timestamp": "2026-04-16 20:00:24,314",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d"
              },
              {
                "name": "ObjectAttributes",
                "value": "XmlLite.dll"
              }
            ],
            "repeated": 0,
            "id": 2994
          },
          {
            "timestamp": "2026-04-16 20:00:24,314",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\XmlLite.dll"
              }
            ],
            "repeated": 0,
            "id": 2995
          },
          {
            "timestamp": "2026-04-16 20:00:24,314",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\xmllite.dll"
              }
            ],
            "repeated": 0,
            "id": 2996
          },
          {
            "timestamp": "2026-04-16 20:00:24,314",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtOpenFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000364"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100021",
                "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\xmllite.dll"
              },
              {
                "name": "ShareAccess",
                "value": "5",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
              }
            ],
            "repeated": 0,
            "id": 2997
          },
          {
            "timestamp": "2026-04-16 20:00:24,314",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtCreateSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x0000000d",
                "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE"
              },
              {
                "name": "ObjectAttributes",
                "value": ""
              },
              {
                "name": "FileHandle",
                "value": "0x00000364"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\SysWOW64\\xmllite.dll"
              }
            ],
            "repeated": 0,
            "id": 2998
          },
          {
            "timestamp": "2026-04-16 20:00:24,314",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbd0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x00000000"
              },
              {
                "name": "ViewSize",
                "value": "0x0002b000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000080",
                "pretty_value": "PAGE_EXECUTE_WRITECOPY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 2999
          },
          {
            "timestamp": "2026-04-16 20:00:24,314",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3000
          },
          {
            "timestamp": "2026-04-16 20:00:24,314",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3001
          },
          {
            "timestamp": "2026-04-16 20:00:24,330",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbf7000"
              },
              {
                "name": "ModuleName",
                "value": "XmlLite.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3002
          },
          {
            "timestamp": "2026-04-16 20:00:24,330",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3003
          },
          {
            "timestamp": "2026-04-16 20:00:24,330",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 3004
          },
          {
            "timestamp": "2026-04-16 20:00:24,330",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbf7000"
              },
              {
                "name": "ModuleName",
                "value": "XmlLite.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3005
          },
          {
            "timestamp": "2026-04-16 20:00:24,330",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\XmlLite"
              },
              {
                "name": "DllBase",
                "value": "0x6fbd0000"
              }
            ],
            "repeated": 0,
            "id": 3006
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrpCallInitRoutine",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "MappedPath",
                "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\xmllite"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbd0000"
              },
              {
                "name": "InitRoutine",
                "value": "0x6fbe0df0"
              },
              {
                "name": "Reason",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 3007
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3008
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3009
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x005e9000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3010
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3011
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3012
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 3013
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "1"
              },
              {
                "name": "TokenInformation",
                "value": "p\\xe4\\xdf\\x03\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\xe0\\x027\\x02\\x01\\x00\\x00\\x00\\xc0\\x007\\x02\\x03\\x00\\x00\\x00\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xaav\\x02"
              }
            ],
            "repeated": 0,
            "id": 3014
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000364"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000",
                "pretty_value": "MAXIMUM_ALLOWED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\REGISTRY\\USER\\S-1-5-21-3749840076-4109591986-3192690632-1000"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER"
              }
            ],
            "repeated": 0,
            "id": 3015
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000364"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Control Panel\\International\\Geo"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Control Panel\\International\\Geo"
              }
            ],
            "repeated": 0,
            "id": 3016
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000364"
              }
            ],
            "repeated": 0,
            "id": 3017
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "Nation"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "203"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\Control Panel\\International\\Geo\\Nation"
              }
            ],
            "repeated": 0,
            "id": 3018
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3019
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3020
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3021
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "608"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\608"
              }
            ],
            "repeated": 0,
            "id": 3022
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3023
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3024
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              }
            ],
            "repeated": 0,
            "id": 3025
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "UBR"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "2006"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UBR"
              }
            ],
            "repeated": 0,
            "id": 3026
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3027
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3028
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows"
              }
            ],
            "repeated": 0,
            "id": 3029
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "TelemetryProtocolServerRoles"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\TelemetryProtocolServerRoles"
              }
            ],
            "repeated": 0,
            "id": 3030
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3031
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3032
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\WindowsUpdate\\Orchestrator\\Installation\\Target"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsUpdate\\Orchestrator\\Installation\\Target"
              }
            ],
            "repeated": 0,
            "id": 3033
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3034
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Shell\\OOBE"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Shell\\OOBE"
              }
            ],
            "repeated": 0,
            "id": 3035
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3036
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\OOBE\\Stats"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\OOBE\\Stats"
              }
            ],
            "repeated": 0,
            "id": 3037
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "EndTimeStamp"
              },
              {
                "name": "Type",
                "value": "3",
                "pretty_value": "REG_BINARY"
              },
              {
                "name": "Information",
                "value": "\\xea\\x07\\x03\\x00\\x03\\x00\\x04\\x00\\x14\\x00\\x00\\x00\\x15\\x00L\\x03"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\Stats\\EndTimeStamp"
              }
            ],
            "repeated": 0,
            "id": 3038
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3039
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3040
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3041
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3042
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "9292"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "2"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\9292"
              }
            ],
            "repeated": 0,
            "id": 3043
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3044
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3045
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Internet Explorer"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer"
              }
            ],
            "repeated": 0,
            "id": 3046
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "svcVersion"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\svcVersion"
              }
            ],
            "repeated": 0,
            "id": 3047
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "svcVersion"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "11.789.19041.0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\svcVersion"
              }
            ],
            "repeated": 0,
            "id": 3048
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3049
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3050
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Internet Explorer"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer"
              }
            ],
            "repeated": 0,
            "id": 3051
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "svcUpdateVersion"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\svcUpdateVersion"
              }
            ],
            "repeated": 0,
            "id": 3052
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "svcUpdateVersion"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "11.0.1000"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\svcUpdateVersion"
              }
            ],
            "repeated": 0,
            "id": 3053
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3054
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3055
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              }
            ],
            "repeated": 0,
            "id": 3056
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "EditionID"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID"
              }
            ],
            "repeated": 0,
            "id": 3057
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "EditionID"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Professional"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID"
              }
            ],
            "repeated": 0,
            "id": 3058
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3059
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3060
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3061
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "9197"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\9197"
              }
            ],
            "repeated": 0,
            "id": 3062
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3063
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3064
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3065
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "35"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "8192"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\35"
              }
            ],
            "repeated": 0,
            "id": 3066
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3067
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3068
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3069
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "12729"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "99"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12729"
              }
            ],
            "repeated": 0,
            "id": 3070
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3071
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3072
          },
          {
            "timestamp": "2026-04-16 20:00:24,393",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3073
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "12730"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12730"
              }
            ],
            "repeated": 0,
            "id": 3074
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3075
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3076
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3077
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "12736"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "191206"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12736"
              }
            ],
            "repeated": 0,
            "id": 3078
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3079
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3080
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3081
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "12737"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1406"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12737"
              }
            ],
            "repeated": 0,
            "id": 3082
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3083
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3084
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              }
            ],
            "repeated": 0,
            "id": 3085
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "BuildBranch"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildBranch"
              }
            ],
            "repeated": 0,
            "id": 3086
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "BuildBranch"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "vb_release"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildBranch"
              }
            ],
            "repeated": 0,
            "id": 3087
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3088
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3089
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              }
            ],
            "repeated": 0,
            "id": 3090
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "CurrentType"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType"
              }
            ],
            "repeated": 0,
            "id": 3091
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "CurrentType"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Multiprocessor Free"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType"
              }
            ],
            "repeated": 0,
            "id": 3092
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3093
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3094
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3095
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "12675"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12675"
              }
            ],
            "repeated": 0,
            "id": 3096
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3097
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3098
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3099
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "12676"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12676"
              }
            ],
            "repeated": 0,
            "id": 3100
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3101
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3102
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3103
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "12677"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12677"
              }
            ],
            "repeated": 0,
            "id": 3104
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3105
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3106
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3107
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "12678"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12678"
              }
            ],
            "repeated": 0,
            "id": 3108
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3109
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3110
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              }
            ],
            "repeated": 0,
            "id": 3111
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "UBR"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "2006"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UBR"
              }
            ],
            "repeated": 0,
            "id": 3112
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3113
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3114
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              }
            ],
            "repeated": 0,
            "id": 3115
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "BuildLabEx"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx"
              }
            ],
            "repeated": 0,
            "id": 3116
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "BuildLabEx"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "19041.1.amd64fre.vb_release.191206-1406"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx"
              }
            ],
            "repeated": 0,
            "id": 3117
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3118
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3119
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
              }
            ],
            "repeated": 0,
            "id": 3120
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "BuildBranch"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildBranch"
              }
            ],
            "repeated": 0,
            "id": 3121
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "BuildBranch"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "vb_release"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildBranch"
              }
            ],
            "repeated": 0,
            "id": 3122
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3123
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3124
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Flighting\\Build"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Flighting\\Build"
              }
            ],
            "repeated": 0,
            "id": 3125
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x0000035c"
              },
              {
                "name": "ValueName",
                "value": "UpdateID"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Flighting\\Build\\UpdateID"
              }
            ],
            "repeated": 0,
            "id": 3126
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000035c"
              }
            ],
            "repeated": 0,
            "id": 3127
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": false,
            "return": "0xffffffffc0000135",
            "pretty_return": "DLL_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\system32\\rpcss.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x0000001e"
              }
            ],
            "repeated": 0,
            "id": 3128
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "NtQuerySystemInformation",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemInformationClass",
                "value": "0",
                "pretty_value": "FILE_SUPERSEDE"
              }
            ],
            "repeated": 0,
            "id": 3129
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77d97000"
              },
              {
                "name": "ModuleName",
                "value": "combase.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3130
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77d97000"
              },
              {
                "name": "ModuleName",
                "value": "combase.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3131
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x005ea000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3132
          },
          {
            "timestamp": "2026-04-16 20:00:24,408",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\System32\\clbcatq"
              },
              {
                "name": "DllBase",
                "value": "0x77400000"
              }
            ],
            "repeated": 0,
            "id": 3133
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "com",
            "api": "CoCreateInstance",
            "status": false,
            "return": "0xffffffff80040154",
            "arguments": [
              {
                "name": "rclsid",
                "value": "3185A766-B338-11E4-A71E-12E3F512A338"
              },
              {
                "name": "ClsContext",
                "value": "0x00000001",
                "pretty_value": "CLSCTX_INPROC_SERVER"
              },
              {
                "name": "riid",
                "value": "E833FEB2-C58A-45E4-8D93-08874744FEBB"
              },
              {
                "name": "ProgID",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3134
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000378"
              }
            ],
            "repeated": 0,
            "id": 3135
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000037c"
              }
            ],
            "repeated": 0,
            "id": 3136
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000374"
              }
            ],
            "repeated": 0,
            "id": 3137
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03ca0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3138
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000380"
              }
            ],
            "repeated": 0,
            "id": 3139
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000386"
              }
            ],
            "repeated": 0,
            "id": 3140
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "oleaut32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76060000"
              }
            ],
            "repeated": 0,
            "id": 3141
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77d97000"
              },
              {
                "name": "ModuleName",
                "value": "combase.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3142
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77d97000"
              },
              {
                "name": "ModuleName",
                "value": "combase.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3143
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "com",
            "api": "CoCreateInstance",
            "status": false,
            "return": "0xffffffff80040154",
            "arguments": [
              {
                "name": "rclsid",
                "value": "B31C57AC-4A31-470F-BBEE-DBA1E5B246BE"
              },
              {
                "name": "ClsContext",
                "value": "0x00000001",
                "pretty_value": "CLSCTX_INPROC_SERVER"
              },
              {
                "name": "riid",
                "value": "79588F37-5BE1-4A35-B23D-29832257CADA"
              },
              {
                "name": "ProgID",
                "value": ""
              }
            ],
            "repeated": 0,
            "id": 3144
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000380"
              }
            ],
            "repeated": 0,
            "id": 3145
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000374"
              }
            ],
            "repeated": 0,
            "id": 3146
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000384"
              }
            ],
            "repeated": 0,
            "id": 3147
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03ca0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3148
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000037c"
              }
            ],
            "repeated": 0,
            "id": 3149
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000037a"
              }
            ],
            "repeated": 0,
            "id": 3150
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "oleaut32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76060000"
              }
            ],
            "repeated": 0,
            "id": 3151
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3152
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000378"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\CurrentControlSet\\Control"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control"
              }
            ],
            "repeated": 0,
            "id": 3153
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000378"
              },
              {
                "name": "ValueName",
                "value": "ContainerType"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ContainerType"
              }
            ],
            "repeated": 0,
            "id": 3154
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000378"
              }
            ],
            "repeated": 0,
            "id": 3155
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3156
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000378"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\CurrentControlSet\\Control"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control"
              }
            ],
            "repeated": 0,
            "id": 3157
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000378"
              },
              {
                "name": "ValueName",
                "value": "ContainerId"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ContainerId"
              }
            ],
            "repeated": 0,
            "id": 3158
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000378"
              }
            ],
            "repeated": 0,
            "id": 3159
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3160
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3161
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3162
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x70642000"
              },
              {
                "name": "ModuleName",
                "value": "wer.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3163
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenProcessToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000008"
              },
              {
                "name": "TokenHandle",
                "value": "0x000003ac"
              }
            ],
            "repeated": 0,
            "id": 3164
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "20"
              },
              {
                "name": "TokenInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3165
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "18"
              },
              {
                "name": "TokenInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 3166
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtQueryInformationToken",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "TokenInformationClass",
                "value": "1"
              },
              {
                "name": "TokenInformation",
                "value": "\\x18\\xe7\\xdf\\x03\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xcc\\x04\\x82\\xdf\\xb2e\\xf3\\xf4\\xc8\\x97L\\xbe\\xe8\\x03\\x00\\x00\\xac\\xe7\\xdf\\x03\\x00\\x00\\x00\\x00`\\xe7\\xdf\\x03\\xc3\\xd8\\xbew\\xac\\x03\\x00\\x00\\x12\\x00\\x00\\x00x\\xe7\\xdf\\x03\\x04\\x00\\x00\\x00\\\\xe7\\xdf\\x03\\xac\\x03\\x00\\x00\\x04\\x00\\x00\\x00\\x88\\xe7\\xdf\\x03/\\xd8\\xbew\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcc\\xe7\\xdf\\x03"
              }
            ],
            "repeated": 0,
            "id": 3167
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003b0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x02000000",
                "pretty_value": "MAXIMUM_ALLOWED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\User\\S-1-5-21-3749840076-4109591986-3192690632-1000_Classes"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Classes"
              }
            ],
            "repeated": 0,
            "id": 3168
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003ac"
              }
            ],
            "repeated": 0,
            "id": 3169
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtOpenSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000003ac"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000004"
              },
              {
                "name": "ObjectAttributes",
                "value": "Global\\__ComCatalogCache__"
              }
            ],
            "repeated": 0,
            "id": 3170
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtMapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SectionHandle",
                "value": "0x000003ac"
              },
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03ca0000"
              },
              {
                "name": "SectionOffset",
                "value": "0x03dfe7a4"
              },
              {
                "name": "ViewSize",
                "value": "0x00001000"
              },
              {
                "name": "Win32Protect",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3171
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3172
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003b4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\COM3"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3"
              }
            ],
            "repeated": 0,
            "id": 3173
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003b4"
              },
              {
                "name": "ValueName",
                "value": "Com+Enabled"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled"
              }
            ],
            "repeated": 0,
            "id": 3174
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003b4"
              }
            ],
            "repeated": 0,
            "id": 3175
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003b4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\REGISTRY\\MACHINE\\Software\\Microsoft\\WindowsRuntime"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsRuntime"
              }
            ],
            "repeated": 0,
            "id": 3176
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003b8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000003b4"
              },
              {
                "name": "ObjectAttributesName",
                "value": "ActivatableClassId"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId"
              }
            ],
            "repeated": 0,
            "id": 3177
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000003b8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Windows.System.Profile.EducationSettings"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings"
              }
            ],
            "repeated": 0,
            "id": 3178
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "KeyInformation",
                "value": "\\xffb9\\xffaej3\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00P\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00.\\x00P\\x00r\\x00o\\x00f\\x00i\\x00l\\x00e\\x00.\\x00E\\x00d\\x00u\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00S\\x00e\\x00t\\x00t\\x00i\\x00n\\x00g\\x00s\\x00\\x00\\x00\\x00\\x00\\x00\\x00[\\x00\\x08\nT\\x00\\x12\\x00\\x00\\x12,\\xffe4\\xffdf\\x03\\xffae^\\xffe8w\\x01\\x00\\x00\\x00\\xffae^\\xffe8w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0n]\\x00\\xffd0n]\\x00\\xffc0s]\\x00\\xffd0n]\\x00x\\xffe4\\xffdf\\x03\\xffe4\\xffc1\\xffecs\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00cl:us+\\x00\\x10\\x00\\x00\\x00\\x00\\xffd7+\\x00\\x103\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\x00\\x00\\xffe0\\x03\\x00\\x00\\x00\\x00\\xffa8\\xffe4\\xffdf\\x03\\xffe4\\xffc1\\xffecs\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb3l:us+\\x00\\x10\\x00\\x00\\x00\\x00\\xffd7+\\x00\\x105\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\x00\\x00\\xffe0\\x03\\x00\\x00\\x00\\x00p\\xffe4\\xffdf\\x03d\\xffff\\xffdf\\x03D\\xffec\\xffdf\\x03s+\\x00\\x108,\\x0et\\xffd7+\\x00\\x10\\xffe8\\xffe4\\xffdf\\x036\\xffa7\\xffecs$\\xff99\\x0bt\\xffcbl:u\\x10\\xffe0\\xffdf\\x038,\\x0etD\\xffec\\xffdf\\x03\\xffd0\\xffa9\\x01t\\xffa3\\xffde\\xffe8\\x02\\xfffe\\xffff\\xffff\\xffff4\\xffe5\\xffdf\\x03\\xffdf)\\xffees/\\x00\\x00\\x00X\\x1e\\x0ctP$\\x0ct\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00I$\\x0ctl#\\x0ct \\x01]\\x00\\xffc8\\xffda\\x0bt\\x19\\x01\\x02\\x00\\x14$\\x0ct\\xffb4\\x03\\x00\\x00\\xfffc#\\x0ct\\xff84\\xffe5\\xffdf\\x03#-\\xffc1vp\\xffcb\\\\x00\\xffb4\\x03\\x00\\x00 \\x01]\\x00 \\x01\\x00\\x00\\x10\\xffe5\\xffdf\\x03p\\xffcb\\\\x00D\\xffec\\xffdf\\x03\\x00\\xffae\\xffebw\\x17\\x02\\xffea\\x02\\xfffe\\xffff\\xffff\\xffffh\\xffe5\\xffdf\\x03ay\\xffc7w\\x00\\x00\\x00\\x00\\xffb4\\x03\\x00\\x00Hs]\\x00\\x18\\x00\\x00\\x00\\xffb4\\x03\\x00\\x00\\xff84\\xffe5\\xffdf\\x03@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff9c\\xffe5\\xffdf\\x03\\xffc93\\xffc2w\\x19\\x01\\x02\\x00 \\x01]\\x00\\xffe0P\\xffc7w\\x18\\x01]\\x00\\xffc8s]\\x00\\xff98\\xffe5\\xffdf\\x03\\x0f\\xfff3\\xffc8wHs]\\x00\\xffb0\\xffe5\\xffdf\\x03\\x18\\x01]\\x00\\xffb4\\xffe5\\xffdf\\x03-Q\\xffc7w\\xffb8\\x03\\x00\\x00\\x00\\x01]\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3179
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ActivationType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivationType"
              }
            ],
            "repeated": 0,
            "id": 3180
          },
          {
            "timestamp": "2026-04-16 20:00:24,424",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "Server"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\Server"
              }
            ],
            "repeated": 0,
            "id": 3181
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "DllPath"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "C:\\Windows\\System32\\twinapi.appcore.dll"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\DllPath"
              }
            ],
            "repeated": 0,
            "id": 3182
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "Threading"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\Threading"
              }
            ],
            "repeated": 0,
            "id": 3183
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "TrustLevel"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\TrustLevel"
              }
            ],
            "repeated": 0,
            "id": 3184
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ObjectAttributesName",
                "value": "CustomAttributes"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\CustomAttributes"
              }
            ],
            "repeated": 0,
            "id": 3185
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "RemoteServer"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\RemoteServer"
              }
            ],
            "repeated": 0,
            "id": 3186
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ActivateAsUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivateAsUser"
              }
            ],
            "repeated": 0,
            "id": 3187
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ActivateInSharedBroker"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivateInSharedBroker"
              }
            ],
            "repeated": 0,
            "id": 3188
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ActivateInBrokerForMediumILContainer"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivateInBrokerForMediumILContainer"
              }
            ],
            "repeated": 0,
            "id": 3189
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "Permissions"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\Permissions"
              }
            ],
            "repeated": 0,
            "id": 3190
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ActivateOnHostFlags"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivateOnHostFlags"
              }
            ],
            "repeated": 0,
            "id": 3191
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3192
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\OLE\\Diagnosis"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\Diagnosis"
              }
            ],
            "repeated": 0,
            "id": 3193
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 3194
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3195
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\OLE"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE"
              }
            ],
            "repeated": 0,
            "id": 3196
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "MaxSxSHashCount"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount"
              }
            ],
            "repeated": 0,
            "id": 3197
          },
          {
            "timestamp": "2026-04-16 20:00:24,439",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 3198
          },
          {
            "timestamp": "2026-04-16 20:00:24,518",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\System32\\twinapi.appcore"
              },
              {
                "name": "DllBase",
                "value": "0x6fa40000"
              }
            ],
            "repeated": 0,
            "id": 3199
          },
          {
            "timestamp": "2026-04-16 20:00:24,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\twinapi.appcore.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fa40000"
              }
            ],
            "repeated": 0,
            "id": 3200
          },
          {
            "timestamp": "2026-04-16 20:00:24,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "twinapi.appcore.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fa40000"
              },
              {
                "name": "FunctionName",
                "value": "DllGetClassObject"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6faaaa80"
              }
            ],
            "repeated": 0,
            "id": 3201
          },
          {
            "timestamp": "2026-04-16 20:00:24,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "twinapi.appcore.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fa40000"
              },
              {
                "name": "FunctionName",
                "value": "DllGetActivationFactory"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6faab7d0"
              }
            ],
            "repeated": 0,
            "id": 3202
          },
          {
            "timestamp": "2026-04-16 20:00:24,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "twinapi.appcore.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fa40000"
              },
              {
                "name": "FunctionName",
                "value": "DllCanUnloadNow"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6faaaa20"
              }
            ],
            "repeated": 0,
            "id": 3203
          },
          {
            "timestamp": "2026-04-16 20:00:24,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "IsDebuggerPresent",
            "status": false,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3204
          },
          {
            "timestamp": "2026-04-16 20:00:24,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3205
          },
          {
            "timestamp": "2026-04-16 20:00:24,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\SharedPC"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SharedPC"
              }
            ],
            "repeated": 0,
            "id": 3206
          },
          {
            "timestamp": "2026-04-16 20:00:24,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "EduSharedPCMode"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SharedPC\\EduSharedPCMode"
              }
            ],
            "repeated": 0,
            "id": 3207
          },
          {
            "timestamp": "2026-04-16 20:00:24,627",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 3208
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3209
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySystemInformation"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb2df0"
              }
            ],
            "repeated": 0,
            "id": 3210
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "NtQuerySystemInformation",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemInformationClass",
                "value": "134"
              }
            ],
            "repeated": 0,
            "id": 3211
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003dc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Rpc\\Extensions"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions"
              }
            ],
            "repeated": 0,
            "id": 3212
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003dc"
              },
              {
                "name": "ValueName",
                "value": "NdrOleExtDLL"
              },
              {
                "name": "Type",
                "value": "2",
                "pretty_value": "REG_EXPAND_SZ"
              },
              {
                "name": "Information",
                "value": "combase.dll"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL"
              }
            ],
            "repeated": 0,
            "id": 3213
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003dc"
              }
            ],
            "repeated": 0,
            "id": 3214
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "combase.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77b50000"
              }
            ],
            "repeated": 0,
            "id": 3215
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "combase.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77b50000"
              },
              {
                "name": "FunctionName",
                "value": "NdrOleInitializeExtension"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77c79590"
              }
            ],
            "repeated": 0,
            "id": 3216
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "combase.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77b50000"
              },
              {
                "name": "FunctionName",
                "value": "CoMarshalInterface"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77c372f0"
              }
            ],
            "repeated": 0,
            "id": 3217
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "combase.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77b50000"
              },
              {
                "name": "FunctionName",
                "value": "CoUnmarshalInterface"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77c35d80"
              }
            ],
            "repeated": 0,
            "id": 3218
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "combase.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77b50000"
              },
              {
                "name": "FunctionName",
                "value": "StringFromIID"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77bbb480"
              }
            ],
            "repeated": 0,
            "id": 3219
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "combase.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77b50000"
              },
              {
                "name": "FunctionName",
                "value": "CoTaskMemAlloc"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77c57f90"
              }
            ],
            "repeated": 0,
            "id": 3220
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "combase.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77b50000"
              },
              {
                "name": "FunctionName",
                "value": "CoTaskMemFree"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77c583b0"
              }
            ],
            "repeated": 0,
            "id": 3221
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "combase.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77b50000"
              },
              {
                "name": "FunctionName",
                "value": "CoCreateInstance"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77c2e550"
              }
            ],
            "repeated": 0,
            "id": 3222
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "combase.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77b50000"
              },
              {
                "name": "FunctionName",
                "value": "CoReleaseMarshalData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77c0db30"
              }
            ],
            "repeated": 0,
            "id": 3223
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000374"
              },
              {
                "name": "Milliseconds",
                "value": "18446744073709551615"
              },
              {
                "name": "Status",
                "value": "Infinite"
              }
            ],
            "repeated": 0,
            "id": 3224
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "6936",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2c18",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 2,
            "id": 3225
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "6936",
            "caller": "0x77ea64d6",
            "parentcaller": "0x77ea63e1",
            "category": "threading",
            "api": "NtTestAlert",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3226
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "6936",
            "caller": "0x00000000",
            "parentcaller": "0x00000000",
            "category": "threading",
            "api": "RtlUserThreadStart",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "StartAddress",
                "value": "0x00000000"
              },
              {
                "name": "Parameter",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 3227
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "6936",
            "caller": "0x77e80857",
            "parentcaller": "0x77e8055f",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x005ef000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3228
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "6936",
            "caller": "0x7726074f",
            "parentcaller": "0x77bfbb70",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "oleaut32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76060000"
              }
            ],
            "repeated": 0,
            "id": 3229
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000374"
              }
            ],
            "repeated": 0,
            "id": 3230
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000037c"
              }
            ],
            "repeated": 0,
            "id": 3231
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000384"
              }
            ],
            "repeated": 0,
            "id": 3232
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000378"
              }
            ],
            "repeated": 0,
            "id": 3233
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03ca0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3234
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003ac"
              }
            ],
            "repeated": 0,
            "id": 3235
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003b2"
              }
            ],
            "repeated": 0,
            "id": 3236
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d4"
              }
            ],
            "repeated": 0,
            "id": 3237
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d0"
              }
            ],
            "repeated": 0,
            "id": 3238
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 3239
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 3240
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c0"
              }
            ],
            "repeated": 0,
            "id": 3241
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 3242
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3243
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3244
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 3245
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\System32\\twinapi.appcore"
              },
              {
                "name": "DllBase",
                "value": "0x6fa40000"
              }
            ],
            "repeated": 0,
            "id": 3246
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3247
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3248
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fa40000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 3249
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "oleaut32.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76060000"
              }
            ],
            "repeated": 0,
            "id": 3250
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x04144000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3251
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3252
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3253
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "8073"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\8073"
              }
            ],
            "repeated": 0,
            "id": 3254
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3255
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3256
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlConvertDeviceFamilyInfoToString"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ef5430"
              }
            ],
            "repeated": 0,
            "id": 3257
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-OneCore-DeviceFamilyID"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3258
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\OEM"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\OEM"
              }
            ],
            "repeated": 0,
            "id": 3259
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "DeviceForm"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\OEM\\DeviceForm"
              }
            ],
            "repeated": 0,
            "id": 3260
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3261
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-OneCore-DeviceFamilyID"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3262
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\OEM"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\OEM"
              }
            ],
            "repeated": 0,
            "id": 3263
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "DeviceForm"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\OEM\\DeviceForm"
              }
            ],
            "repeated": 0,
            "id": 3264
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3265
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3266
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\Platform\\DeviceTargetingInfo"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\Platform\\DeviceTargetingInfo"
              }
            ],
            "repeated": 0,
            "id": 3267
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3268
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SYSTEM\\CurrentControlSet\\Control\\SystemInformation"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemInformation"
              }
            ],
            "repeated": 0,
            "id": 3269
          },
          {
            "timestamp": "2026-04-16 20:00:24,658",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "SystemManufacturer"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer"
              }
            ],
            "repeated": 0,
            "id": 3270
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "SystemManufacturer"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "QEMU"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer"
              }
            ],
            "repeated": 0,
            "id": 3271
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "BIOSVersion"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion"
              }
            ],
            "repeated": 0,
            "id": 3272
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "BIOSVersion"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "rel-1.16.3-0-ga6ed6b7-prebuilt.qemu.org"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion"
              }
            ],
            "repeated": 0,
            "id": 3273
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "SystemProductName"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName"
              }
            ],
            "repeated": 0,
            "id": 3274
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "SystemProductName"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Standard PC (Q35 + ICH9, 2009)"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName"
              }
            ],
            "repeated": 0,
            "id": 3275
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3276
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3277
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Product"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Product"
              }
            ],
            "repeated": 0,
            "id": 3278
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": false,
            "return": "0xffffffffffffffff",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\Windows\\System32\\drivers\\*.mrk"
              }
            ],
            "repeated": 0,
            "id": 3279
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3280
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3281
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "10433"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "8192"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\10433"
              }
            ],
            "repeated": 0,
            "id": 3282
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3283
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3284
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3285
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "31"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "2"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\31"
              }
            ],
            "repeated": 0,
            "id": 3286
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3287
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3288
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Hardware\\Description\\System\\CentralProcessor\\0"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Hardware\\Description\\System\\CentralProcessor\\0"
              }
            ],
            "repeated": 0,
            "id": 3289
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "~MHz"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "2600"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\~MHz"
              }
            ],
            "repeated": 0,
            "id": 3290
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3291
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3292
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3293
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "4573"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\4573"
              }
            ],
            "repeated": 0,
            "id": 3294
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3295
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3296
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3297
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "4572"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\4572"
              }
            ],
            "repeated": 0,
            "id": 3298
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3299
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3300
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Hardware\\Description\\System\\CentralProcessor\\0"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Hardware\\Description\\System\\CentralProcessor\\0"
              }
            ],
            "repeated": 0,
            "id": 3301
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "ProcessorNameString"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString"
              }
            ],
            "repeated": 0,
            "id": 3302
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "ProcessorNameString"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Intel(R) Xeon(R) CPU E5-2689 0 @ 2.60GHz"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString"
              }
            ],
            "repeated": 0,
            "id": 3303
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3304
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3305
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3306
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "4575"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\4575"
              }
            ],
            "repeated": 0,
            "id": 3307
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3308
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3309
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3310
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "9290"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\9290"
              }
            ],
            "repeated": 0,
            "id": 3311
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3312
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3313
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Hardware\\Description\\System\\BIOS"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Hardware\\Description\\System\\BIOS"
              }
            ],
            "repeated": 0,
            "id": 3314
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "SystemSKU"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemSKU"
              }
            ],
            "repeated": 0,
            "id": 3315
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "SystemSKU"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": ""
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemSKU"
              }
            ],
            "repeated": 0,
            "id": 3316
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3317
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3318
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "System\\CurrentControlSet\\Control\\SystemInformation"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SystemInformation"
              }
            ],
            "repeated": 0,
            "id": 3319
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "ComputerHardwareId"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\ComputerHardwareId"
              }
            ],
            "repeated": 0,
            "id": 3320
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "ComputerHardwareId"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "{081218f3-79c6-50d9-9cbe-2ba7d440c011}"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\ComputerHardwareId"
              }
            ],
            "repeated": 0,
            "id": 3321
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3322
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3323
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3324
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "12728"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "100"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12728"
              }
            ],
            "repeated": 0,
            "id": 3325
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3326
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 3327
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3328
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 3329
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "MachineId"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineId"
              }
            ],
            "repeated": 0,
            "id": 3330
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "MachineId"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "{DEA0B215-B8D4-44C0-B1F3-E3A7DA9D6FC6}"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineId"
              }
            ],
            "repeated": 0,
            "id": 3331
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3332
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3333
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Policies\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 3334
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3335
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 3336
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "MSFTInternal"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal"
              }
            ],
            "repeated": 0,
            "id": 3337
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3338
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3339
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 3340
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "IsTest"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest"
              }
            ],
            "repeated": 0,
            "id": 3341
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3342
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3343
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Reliability Analysis\\RAC"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC"
              }
            ],
            "repeated": 0,
            "id": 3344
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "RacSampleNumber"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "94547845"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC\\RacSampleNumber"
              }
            ],
            "repeated": 0,
            "id": 3345
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3346
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3347
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\TelemetryClient\\OEMInfo"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelemetryClient\\OEMInfo"
              }
            ],
            "repeated": 0,
            "id": 3348
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3349
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Policies\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 3350
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3351
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 3352
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "CorporateSQMURL"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\CorporateSQMURL"
              }
            ],
            "repeated": 0,
            "id": 3353
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3354
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3355
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3356
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "CommercialId"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\CommercialId"
              }
            ],
            "repeated": 0,
            "id": 3357
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3358
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3359
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 3360
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3361
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3362
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "CommercialId"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\CommercialId"
              }
            ],
            "repeated": 0,
            "id": 3363
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3364
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-OneCore-DeviceFamilyID"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3365
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3366
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\XboxLive"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\XboxLive"
              }
            ],
            "repeated": 0,
            "id": 3367
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3368
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints"
              }
            ],
            "repeated": 0,
            "id": 3369
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "12674"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12674"
              }
            ],
            "repeated": 0,
            "id": 3370
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3371
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3372
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 3373
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 3374
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3375
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3376
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 3377
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3378
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3379
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 3380
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3381
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 3382
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 3383
          },
          {
            "timestamp": "2026-04-16 20:00:24,674",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3384
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 3385
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 3386
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb521f0"
              }
            ],
            "repeated": 0,
            "id": 3387
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb543f0"
              }
            ],
            "repeated": 0,
            "id": 3388
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3389
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3390
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3391
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 3392
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 3393
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 3394
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 3395
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 3396
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 3397
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3398
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3399
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 3400
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 3401
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 3402
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 3403
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 3404
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 3405
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 3406
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3407
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3408
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 3409
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 3410
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 3411
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c0"
              }
            ],
            "repeated": 0,
            "id": 3412
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3413
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3414
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 3415
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c0"
              }
            ],
            "repeated": 0,
            "id": 3416
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3417
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 3418
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3419
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3420
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 3421
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c0"
              }
            ],
            "repeated": 0,
            "id": 3422
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 3423
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3424
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3425
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 3426
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 3427
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3428
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3429
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb40000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 3430
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3431
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 3432
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3433
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 3434
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 3435
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3436
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3437
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 3438
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3439
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3440
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 3441
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3442
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 3443
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3444
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 3445
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 3446
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3447
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3448
          },
          {
            "timestamp": "2026-04-16 20:00:24,689",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 3449
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3450
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3451
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 3452
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3453
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 3454
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 3455
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 3456
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 3457
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 3458
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb521f0"
              }
            ],
            "repeated": 0,
            "id": 3459
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb543f0"
              }
            ],
            "repeated": 0,
            "id": 3460
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3461
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3462
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3463
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 3464
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 3465
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 3466
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 3467
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 3468
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 3469
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3470
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3471
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 3472
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 3473
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 3474
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 3475
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 3476
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 3477
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 3478
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3479
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3480
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 3481
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 3482
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 3483
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c0"
              }
            ],
            "repeated": 0,
            "id": 3484
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3485
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3486
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 3487
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c0"
              }
            ],
            "repeated": 0,
            "id": 3488
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3489
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 3490
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3491
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3492
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 3493
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c0"
              }
            ],
            "repeated": 0,
            "id": 3494
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 3495
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 3496
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3497
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 3498
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 3499
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3500
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3501
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb40000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 3502
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3503
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 3504
          },
          {
            "timestamp": "2026-04-16 20:00:24,705",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3505
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 3506
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 3507
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 3508
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3509
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 3510
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3511
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3512
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 3513
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 3514
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 3515
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3516
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 3517
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 3518
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3519
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3520
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 3521
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3522
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3523
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 3524
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3525
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 3526
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 3527
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3528
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 3529
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 3530
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb521f0"
              }
            ],
            "repeated": 0,
            "id": 3531
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb543f0"
              }
            ],
            "repeated": 0,
            "id": 3532
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3533
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3534
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3535
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 3536
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 3537
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 3538
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 3539
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 3540
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 3541
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3542
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3543
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 3544
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 3545
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 3546
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 3547
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 3548
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 3549
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 3550
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3551
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3552
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 3553
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 3554
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 3555
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c0"
              }
            ],
            "repeated": 0,
            "id": 3556
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3557
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3558
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 3559
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c0"
              }
            ],
            "repeated": 0,
            "id": 3560
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3561
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 3562
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3563
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3564
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 3565
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c0"
              }
            ],
            "repeated": 0,
            "id": 3566
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 3567
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 3568
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3569
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 3570
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 3571
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3572
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3573
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb40000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 3574
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3575
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 3576
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3577
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 3578
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 3579
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 3580
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3581
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 3582
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3583
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3584
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 3585
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 3586
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 3587
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Telemetry-ProcessorModeAllowed"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 3588
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 3589
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 3590
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb521f0"
              }
            ],
            "repeated": 0,
            "id": 3591
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb543f0"
              }
            ],
            "repeated": 0,
            "id": 3592
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetGroupAreaPolicyCollectionGivenGroupName"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb55c90"
              }
            ],
            "repeated": 0,
            "id": 3593
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGroupAreaPolicyCollection"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb55bd0"
              }
            ],
            "repeated": 0,
            "id": 3594
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3595
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\_Groups\\UTCPartnerPrograms"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\_Groups\\UTCPartnerPrograms"
              }
            ],
            "repeated": 0,
            "id": 3596
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "KeyInformation",
                "value": "uL\\x7f\\xffd5\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 3597
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3598
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3599
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "Index",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3600
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3601
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3602
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3603
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\_Groups\\UTCPartnerPrograms\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\_Groups\\UTCPartnerPrograms\\System"
              }
            ],
            "repeated": 0,
            "id": 3604
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "KeyInformation",
                "value": "!E\\xffbcY1\\xffc3\\xffd8\\x01\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00L\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 3605
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "Index",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 3606
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "Index",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 3607
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "Index",
                "value": "2"
              }
            ],
            "repeated": 0,
            "id": 3608
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "Index",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 3609
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "Index",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 3610
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c0"
              }
            ],
            "repeated": 0,
            "id": 3611
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 3612
          },
          {
            "timestamp": "2026-04-16 20:00:24,721",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3613
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline"
              }
            ],
            "repeated": 0,
            "id": 3614
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 3615
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "139296"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 3616
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "2"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 3617
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 3618
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 3619
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 3620
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowCommercialDataPipeline"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 3621
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicypath"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicypath"
              }
            ],
            "repeated": 0,
            "id": 3622
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicypath"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicypath"
              }
            ],
            "repeated": 0,
            "id": 3623
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyismultisz"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicyismultisz"
              }
            ],
            "repeated": 0,
            "id": 3624
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicymultiszSeparatorChar"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicymultiszSeparatorChar"
              }
            ],
            "repeated": 0,
            "id": 3625
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 3626
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 3627
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 3628
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3629
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3630
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 3631
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\30Value"
              }
            ],
            "repeated": 0,
            "id": 3632
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\Value"
              }
            ],
            "repeated": 0,
            "id": 3633
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 3634
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3635
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3636
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "AllowCommercialDataPipeline"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowCommercialDataPipeline"
              }
            ],
            "repeated": 0,
            "id": 3637
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 3638
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3639
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 3640
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3641
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 3642
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3643
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3644
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "AllowCommercialDataPipeline"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowCommercialDataPipeline"
              }
            ],
            "repeated": 0,
            "id": 3645
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 3646
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3647
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing"
              }
            ],
            "repeated": 0,
            "id": 3648
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 3649
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "139296"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 3650
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 3651
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 3652
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 3653
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 3654
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowDesktopAnalyticsProcessing"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 3655
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicypath"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicypath"
              }
            ],
            "repeated": 0,
            "id": 3656
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicypath"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicypath"
              }
            ],
            "repeated": 0,
            "id": 3657
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyismultisz"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicyismultisz"
              }
            ],
            "repeated": 0,
            "id": 3658
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicymultiszSeparatorChar"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicymultiszSeparatorChar"
              }
            ],
            "repeated": 0,
            "id": 3659
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 3660
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 3661
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 3662
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3663
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3664
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 3665
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\30Value"
              }
            ],
            "repeated": 0,
            "id": 3666
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\Value"
              }
            ],
            "repeated": 0,
            "id": 3667
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 3668
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3669
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3670
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "AllowDesktopAnalyticsProcessing"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowDesktopAnalyticsProcessing"
              }
            ],
            "repeated": 0,
            "id": 3671
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 3672
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3673
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 3674
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3675
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 3676
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3677
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3678
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "AllowDesktopAnalyticsProcessing"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowDesktopAnalyticsProcessing"
              }
            ],
            "repeated": 0,
            "id": 3679
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 3680
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3681
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing"
              }
            ],
            "repeated": 0,
            "id": 3682
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 3683
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "32"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 3684
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 3685
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 3686
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 3687
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 3688
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 3689
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 3690
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 3691
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3692
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3693
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 3694
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\30Value"
              }
            ],
            "repeated": 0,
            "id": 3695
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\Value"
              }
            ],
            "repeated": 0,
            "id": 3696
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 3697
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3698
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 3699
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3700
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 3701
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3702
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing"
              }
            ],
            "repeated": 0,
            "id": 3703
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 3704
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "139296"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 3705
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 3706
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 3707
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 3708
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 3709
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowUpdateComplianceProcessing"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 3710
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicypath"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicypath"
              }
            ],
            "repeated": 0,
            "id": 3711
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicypath"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicypath"
              }
            ],
            "repeated": 0,
            "id": 3712
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyismultisz"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicyismultisz"
              }
            ],
            "repeated": 0,
            "id": 3713
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicymultiszSeparatorChar"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicymultiszSeparatorChar"
              }
            ],
            "repeated": 0,
            "id": 3714
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 3715
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 3716
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 3717
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3718
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3719
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 3720
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\30Value"
              }
            ],
            "repeated": 0,
            "id": 3721
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\Value"
              }
            ],
            "repeated": 0,
            "id": 3722
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 3723
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3724
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3725
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "AllowUpdateComplianceProcessing"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowUpdateComplianceProcessing"
              }
            ],
            "repeated": 0,
            "id": 3726
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 3727
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3728
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 3729
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3730
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 3731
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3732
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3733
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "AllowUpdateComplianceProcessing"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowUpdateComplianceProcessing"
              }
            ],
            "repeated": 0,
            "id": 3734
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 3735
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3736
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing"
              }
            ],
            "repeated": 0,
            "id": 3737
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 3738
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "139296"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 3739
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 3740
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 3741
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 3742
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 3743
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowWUfBCloudProcessing"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 3744
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicypath"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicypath"
              }
            ],
            "repeated": 0,
            "id": 3745
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicypath"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicypath"
              }
            ],
            "repeated": 0,
            "id": 3746
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyismultisz"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicyismultisz"
              }
            ],
            "repeated": 0,
            "id": 3747
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicymultiszSeparatorChar"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicymultiszSeparatorChar"
              }
            ],
            "repeated": 0,
            "id": 3748
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 3749
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 3750
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 3751
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3752
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3753
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 3754
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\30Value"
              }
            ],
            "repeated": 0,
            "id": 3755
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "0"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\Value"
              }
            ],
            "repeated": 0,
            "id": 3756
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 3757
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3758
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3759
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "AllowWUfBCloudProcessing"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowWUfBCloudProcessing"
              }
            ],
            "repeated": 0,
            "id": 3760
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 3761
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3762
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 3763
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3764
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 3765
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3766
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3767
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "AllowWUfBCloudProcessing"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowWUfBCloudProcessing"
              }
            ],
            "repeated": 0,
            "id": 3768
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 3769
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3770
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 3771
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3772
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 3773
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 3774
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3775
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3776
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb40000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 3777
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x04145000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3778
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x04146000"
              },
              {
                "name": "RegionSize",
                "value": "0x00003000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3779
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3780
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 3781
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3782
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 3783
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "NewUserDefaultConsent"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\NewUserDefaultConsent"
              }
            ],
            "repeated": 0,
            "id": 3784
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 3785
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3786
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 3787
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3788
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 3789
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "DontSendAdditionalData"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData"
              }
            ],
            "repeated": 0,
            "id": 3790
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "Disabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled"
              }
            ],
            "repeated": 0,
            "id": 3791
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "Disabled"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled"
              }
            ],
            "repeated": 0,
            "id": 3792
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 3793
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "DefaultConsent"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
              }
            ],
            "repeated": 0,
            "id": 3794
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "DefaultConsent"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
              }
            ],
            "repeated": 0,
            "id": 3795
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3796
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 3797
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "DefaultOverrideBehavior"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior"
              }
            ],
            "repeated": 0,
            "id": 3798
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3799
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "LoggingDisabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled"
              }
            ],
            "repeated": 0,
            "id": 3800
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "DontShowUI"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI"
              }
            ],
            "repeated": 0,
            "id": 3801
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "QueuePesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval"
              }
            ],
            "repeated": 0,
            "id": 3802
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "DebugApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications"
              }
            ],
            "repeated": 0,
            "id": 3803
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "BypassDataThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling"
              }
            ],
            "repeated": 0,
            "id": 3804
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "ForceUserModeCabCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection"
              }
            ],
            "repeated": 0,
            "id": 3805
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "BypassPowerThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling"
              }
            ],
            "repeated": 0,
            "id": 3806
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "BypassNetworkCostThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling"
              }
            ],
            "repeated": 0,
            "id": 3807
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "QueueNoPesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval"
              }
            ],
            "repeated": 0,
            "id": 3808
          },
          {
            "timestamp": "2026-04-16 20:00:24,736",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "AutoApproveOSDumps"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps"
              }
            ],
            "repeated": 0,
            "id": 3809
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "LiveReportFlushInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval"
              }
            ],
            "repeated": 0,
            "id": 3810
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 3811
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3812
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 3813
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3814
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x0000027c"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 3815
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "DontSendAdditionalData"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData"
              }
            ],
            "repeated": 0,
            "id": 3816
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 3817
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "LoggingDisabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled"
              }
            ],
            "repeated": 0,
            "id": 3818
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "DontShowUI"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI"
              }
            ],
            "repeated": 0,
            "id": 3819
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "QueuePesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval"
              }
            ],
            "repeated": 0,
            "id": 3820
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ObjectAttributesName",
                "value": "DebugApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications"
              }
            ],
            "repeated": 0,
            "id": 3821
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "BypassDataThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling"
              }
            ],
            "repeated": 0,
            "id": 3822
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "ForceUserModeCabCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection"
              }
            ],
            "repeated": 0,
            "id": 3823
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "BypassPowerThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling"
              }
            ],
            "repeated": 0,
            "id": 3824
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "BypassNetworkCostThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling"
              }
            ],
            "repeated": 0,
            "id": 3825
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "QueueNoPesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval"
              }
            ],
            "repeated": 0,
            "id": 3826
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "AutoApproveOSDumps"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps"
              }
            ],
            "repeated": 0,
            "id": 3827
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "LiveReportFlushInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval"
              }
            ],
            "repeated": 0,
            "id": 3828
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 3829
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3830
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 3831
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3832
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 3833
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "DontSendAdditionalData"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData"
              }
            ],
            "repeated": 0,
            "id": 3834
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Consent"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent"
              }
            ],
            "repeated": 0,
            "id": 3835
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c0"
              },
              {
                "name": "ValueName",
                "value": "DefaultOverrideBehavior"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior"
              }
            ],
            "repeated": 0,
            "id": 3836
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c0"
              }
            ],
            "repeated": 0,
            "id": 3837
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "LoggingDisabled"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled"
              }
            ],
            "repeated": 0,
            "id": 3838
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "DontShowUI"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI"
              }
            ],
            "repeated": 0,
            "id": 3839
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "QueuePesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval"
              }
            ],
            "repeated": 0,
            "id": 3840
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "ForceQueue"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue"
              }
            ],
            "repeated": 0,
            "id": 3841
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "MaxQueueCount"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount"
              }
            ],
            "repeated": 0,
            "id": 3842
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "MaxArchiveCount"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount"
              }
            ],
            "repeated": 0,
            "id": 3843
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "ConfigureArchive"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive"
              }
            ],
            "repeated": 0,
            "id": 3844
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "DisableArchive"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive"
              }
            ],
            "repeated": 0,
            "id": 3845
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ObjectAttributesName",
                "value": "DebugApplications"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications"
              }
            ],
            "repeated": 0,
            "id": 3846
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerServer"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer"
              }
            ],
            "repeated": 0,
            "id": 3847
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerUseSSL"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL"
              }
            ],
            "repeated": 0,
            "id": 3848
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerPortNumber"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber"
              }
            ],
            "repeated": 0,
            "id": 3849
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerUseAuthentication"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication"
              }
            ],
            "repeated": 0,
            "id": 3850
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "BypassDataThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling"
              }
            ],
            "repeated": 0,
            "id": 3851
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "ForceUserModeCabCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection"
              }
            ],
            "repeated": 0,
            "id": 3852
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "BypassPowerThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling"
              }
            ],
            "repeated": 0,
            "id": 3853
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "BypassNetworkCostThrottling"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling"
              }
            ],
            "repeated": 0,
            "id": 3854
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "QueueNoPesterInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval"
              }
            ],
            "repeated": 0,
            "id": 3855
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "AutoApproveOSDumps"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps"
              }
            ],
            "repeated": 0,
            "id": 3856
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "MinFreeDiskSpace"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace"
              }
            ],
            "repeated": 0,
            "id": 3857
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "LiveReportFlushInterval"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval"
              }
            ],
            "repeated": 0,
            "id": 3858
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "CabArchiveFolder"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder"
              }
            ],
            "repeated": 0,
            "id": 3859
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "ForceHeapDump"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump"
              }
            ],
            "repeated": 0,
            "id": 3860
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "ForceMetadata"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata"
              }
            ],
            "repeated": 0,
            "id": 3861
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "Source"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Source"
              }
            ],
            "repeated": 0,
            "id": 3862
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "User"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\User"
              }
            ],
            "repeated": 0,
            "id": 3863
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "StorePath"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\StorePath"
              }
            ],
            "repeated": 0,
            "id": 3864
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "ForceEtw"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw"
              }
            ],
            "repeated": 0,
            "id": 3865
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "CorporateWerUploadOnFreeNetworksOnly"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly"
              }
            ],
            "repeated": 0,
            "id": 3866
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "UploadOnFreeNetworksOnly"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly"
              }
            ],
            "repeated": 0,
            "id": 3867
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "CabArchiveSeparate"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate"
              }
            ],
            "repeated": 0,
            "id": 3868
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "CabArchiveCreate"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate"
              }
            ],
            "repeated": 0,
            "id": 3869
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "LocalCompression"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression"
              }
            ],
            "repeated": 0,
            "id": 3870
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "DisableWerUpload"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload"
              }
            ],
            "repeated": 0,
            "id": 3871
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "DisableEnterpriseAuthProxy"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy"
              }
            ],
            "repeated": 0,
            "id": 3872
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "ArchiveFolderCountLimit"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit"
              }
            ],
            "repeated": 0,
            "id": 3873
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "QueueSizeMaxPercentFreeDisk"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk"
              }
            ],
            "repeated": 0,
            "id": 3874
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "MinQueueSize"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize"
              }
            ],
            "repeated": 0,
            "id": 3875
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "MaxRetriesForSasRenewal"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal"
              }
            ],
            "repeated": 0,
            "id": 3876
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "NoHeapDumpOnQueue"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue"
              }
            ],
            "repeated": 0,
            "id": 3877
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "DeferCabUpload"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload"
              }
            ],
            "repeated": 0,
            "id": 3878
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 3879
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3880
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 3881
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 3882
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3883
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3884
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 3885
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 3886
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3887
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 3888
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3889
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 3890
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 3891
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 3892
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 3893
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 3894
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb521f0"
              }
            ],
            "repeated": 0,
            "id": 3895
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb543f0"
              }
            ],
            "repeated": 0,
            "id": 3896
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3897
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3898
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3899
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 3900
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 3901
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 3902
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 3903
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 3904
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 3905
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3906
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3907
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 3908
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 3909
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 3910
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 3911
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 3912
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 3913
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 3914
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3915
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3916
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 3917
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 3918
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 3919
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3920
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3921
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3922
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 3923
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3924
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3925
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 3926
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3927
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3928
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 3929
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 3930
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 3931
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 3932
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3933
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 3934
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 3935
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3936
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3937
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb40000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 3938
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3939
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 3940
          },
          {
            "timestamp": "2026-04-16 20:00:24,752",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3941
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 3942
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 3943
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 3944
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3945
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 3946
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3947
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3948
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 3949
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 3950
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 3951
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3952
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 3953
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 3954
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3955
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3956
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 3957
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 3958
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 3959
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 3960
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3961
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 3962
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 3963
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 3964
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 3965
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 3966
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb521f0"
              }
            ],
            "repeated": 0,
            "id": 3967
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb543f0"
              }
            ],
            "repeated": 0,
            "id": 3968
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3969
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3970
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3971
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 3972
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 3973
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 3974
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 3975
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 3976
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 3977
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3978
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 3979
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 3980
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 3981
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 3982
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 3983
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 3984
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 3985
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 3986
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3987
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 3988
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 3989
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 3990
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 3991
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 3992
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3993
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 3994
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 3995
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 3996
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3997
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 3998
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 3999
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 4000
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003d8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 4001
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003d8"
              }
            ],
            "repeated": 0,
            "id": 4002
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c0"
              }
            ],
            "repeated": 0,
            "id": 4003
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4004
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4005
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 4006
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 4007
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4008
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4009
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb40000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 4010
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4011
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 4012
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4013
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 4014
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 4015
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4016
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4017
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 4018
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4019
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 4020
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 4021
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4022
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 4023
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4024
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 4025
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 4026
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4027
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 4028
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 4029
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4030
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4031
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 4032
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4033
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 4034
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 4035
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4036
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 4037
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 4038
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb521f0"
              }
            ],
            "repeated": 0,
            "id": 4039
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb543f0"
              }
            ],
            "repeated": 0,
            "id": 4040
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4041
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4042
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4043
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 4044
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 4045
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 4046
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 4047
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 4048
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 4049
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4050
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4051
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 4052
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 4053
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 4054
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 4055
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 4056
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 4057
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 4058
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 4059
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 4060
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 4061
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 4062
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 4063
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 4064
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4065
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 4066
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 4067
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 4068
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4069
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 4070
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4071
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 4072
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003bc"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 4073
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 4074
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 4075
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4076
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4077
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 4078
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 4079
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4080
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4081
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb40000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 4082
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4083
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 4084
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4085
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 4086
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 4087
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4088
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4089
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 4090
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4091
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 4092
          },
          {
            "timestamp": "2026-04-16 20:00:24,768",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 4093
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4094
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 4095
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4096
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Policies\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 4097
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4098
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 4099
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "MSFTInternal"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal"
              }
            ],
            "repeated": 0,
            "id": 4100
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4101
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4102
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Policies\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 4103
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4104
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\SQMClient"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient"
              }
            ],
            "repeated": 0,
            "id": 4105
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "IsTest"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest"
              }
            ],
            "repeated": 0,
            "id": 4106
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4107
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "1",
                "pretty_value": "FILE_SHARE_READ"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4108
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c4"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00"
              }
            ],
            "repeated": 0,
            "id": 4109
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4110
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c8"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4111
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 4112
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c4"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00"
              }
            ],
            "repeated": 0,
            "id": 4113
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4114
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              }
            ],
            "repeated": 1,
            "id": 4115
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x80100080",
                "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp"
              },
              {
                "name": "CreateDisposition",
                "value": "2",
                "pretty_value": "FILE_CREATE"
              },
              {
                "name": "ShareAccess",
                "value": "0"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4116
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4117
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00110080",
                "pretty_value": "FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4118
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c4"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "f\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00W\\x00E\\x00R\\x003\\x004\\x003\\x00C\\x00.\\x00t\\x00m\\x00p\\x00"
              }
            ],
            "repeated": 0,
            "id": 4119
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4120
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c8"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4121
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 4122
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c4"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "f\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00W\\x00E\\x00R\\x003\\x004\\x003\\x00C\\x00.\\x00t\\x00m\\x00p\\x00"
              }
            ],
            "repeated": 0,
            "id": 4123
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4124
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp"
              }
            ],
            "repeated": 0,
            "id": 4125
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005daaa8",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4126
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 4127
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005dad68",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4128
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 4129
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005dad68",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4130
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 4131
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005dad68",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xa9fe91a6"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01dccddb"
              }
            ],
            "repeated": 0,
            "id": 4132
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 4133
          },
          {
            "timestamp": "2026-04-16 20:00:24,783",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4134
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtSetInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c4"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp"
              },
              {
                "name": "FileInformationClass",
                "value": "13",
                "pretty_value": "FileDispositionInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x01"
              }
            ],
            "repeated": 0,
            "id": 4135
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4136
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00110080",
                "pretty_value": "FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4137
          },
          {
            "timestamp": "2026-04-16 20:00:24,893",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0xc0100080",
                "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml"
              },
              {
                "name": "CreateDisposition",
                "value": "2",
                "pretty_value": "FILE_CREATE"
              },
              {
                "name": "ShareAccess",
                "value": "0"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "no"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4138
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c4"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "n\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00W\\x00E\\x00R\\x003\\x004\\x003\\x00C\\x00.\\x00t\\x00m\\x00p\\x00.\\x00x\\x00m\\x00l\\x00"
              }
            ],
            "repeated": 0,
            "id": 4139
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003bc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4140
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003bc"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4141
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 4142
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c4"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "n\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00W\\x00E\\x00R\\x003\\x004\\x003\\x00C\\x00.\\x00t\\x00m\\x00p\\x00.\\x00x\\x00m\\x00l\\x00"
              }
            ],
            "repeated": 0,
            "id": 4143
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4144
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml"
              }
            ],
            "repeated": 0,
            "id": 4145
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005da8a8",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4146
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 4147
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005dabe8",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4148
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 4149
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005dab28",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4150
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 4151
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 1,
            "id": 4152
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml"
              }
            ],
            "repeated": 0,
            "id": 4153
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005dab28",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4154
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 4155
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005da968",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4156
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 4157
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005dae68",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4158
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 4159
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4160
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtWriteFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c4"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml"
              },
              {
                "name": "Buffer",
                "value": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<req ver=\"2\">\r\n  <tlm>\r\n    <src>\r\n      <desc>\r\n        <mach>\r\n          <os>\r\n            <arg nm=\"vermaj\" val=\"10\" />\r\n            <arg nm=\"vermin\" val=\"0\" />\r\n            <arg nm=\"verbld\" val=\"1"
              },
              {
                "name": "Length",
                "value": "4720"
              }
            ],
            "repeated": 0,
            "id": 4161
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4162
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml"
              }
            ],
            "repeated": 0,
            "id": 4163
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100081",
                "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4164
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4165
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4166
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "NtQuerySecurityPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77eb4050"
              }
            ],
            "repeated": 0,
            "id": 4167
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 4168
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4169
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 4170
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 4171
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4172
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4173
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 4174
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4175
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 4176
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 4177
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4178
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "load"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 4179
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "policymanager.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 4180
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_GetPolicy"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb521f0"
              }
            ],
            "repeated": 0,
            "id": 4181
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x6fb40000"
              },
              {
                "name": "FunctionName",
                "value": "PolicyManager_FreeGetPolicyData"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x6fb543f0"
              }
            ],
            "repeated": 0,
            "id": 4182
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4183
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4184
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4185
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 4186
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "PolicyType"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "4"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType"
              }
            ],
            "repeated": 0,
            "id": 4187
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Behavior"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "73777"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior"
              }
            ],
            "repeated": 0,
            "id": 4188
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "MergeAlgorithm"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "1"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm"
              }
            ],
            "repeated": 0,
            "id": 4189
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirectMapped"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped"
              }
            ],
            "repeated": 0,
            "id": 4190
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 4191
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4192
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fbbb000"
              },
              {
                "name": "ModuleName",
                "value": "policymanager.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4193
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "RegKeyPathRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect"
              }
            ],
            "repeated": 0,
            "id": 4194
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffff80000005",
            "pretty_return": "BUFFER_OVERFLOW",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 4195
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "RegValueNameRedirect"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect"
              }
            ],
            "repeated": 0,
            "id": 4196
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "grouppolicyname"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname"
              }
            ],
            "repeated": 0,
            "id": 4197
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataUser"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser"
              }
            ],
            "repeated": 0,
            "id": 4198
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataDevice"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice"
              }
            ],
            "repeated": 0,
            "id": 4199
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "ADMXMetadataBoth"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth"
              }
            ],
            "repeated": 0,
            "id": 4200
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 4201
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfo"
              },
              {
                "name": "Type",
                "value": "0x00000004"
              }
            ],
            "repeated": 0,
            "id": 4202
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "Kernel-ProductInfoLegacyMapping"
              },
              {
                "name": "Type",
                "value": "0x00000003"
              }
            ],
            "repeated": 0,
            "id": 4203
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "30Value"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value"
              }
            ],
            "repeated": 0,
            "id": 4204
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "Value"
              },
              {
                "name": "Type",
                "value": "4",
                "pretty_value": "REG_DWORD"
              },
              {
                "name": "Information",
                "value": "3"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value"
              }
            ],
            "repeated": 0,
            "id": 4205
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 4206
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4207
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 4208
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 4209
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 4210
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4211
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System"
              }
            ],
            "repeated": 0,
            "id": 4212
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4213
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020119",
                "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 4214
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003cc"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry_PolicyManager"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager"
              }
            ],
            "repeated": 0,
            "id": 4215
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003cc"
              }
            ],
            "repeated": 0,
            "id": 4216
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003bc"
              }
            ],
            "repeated": 0,
            "id": 4217
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4218
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4219
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 4220
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "DllLoadNotification",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "NotificationReason",
                "value": "unload"
              },
              {
                "name": "DllName",
                "value": "C:\\Windows\\SYSTEM32\\policymanager"
              },
              {
                "name": "DllBase",
                "value": "0x6fb40000"
              }
            ],
            "repeated": 0,
            "id": 4221
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4222
          },
          {
            "timestamp": "2026-04-16 20:00:24,908",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77f69000"
              },
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00003000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4223
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtUnmapViewOfSection",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x6fb40000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              }
            ],
            "repeated": 0,
            "id": 4224
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4225
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 4226
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4227
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users"
              }
            ],
            "repeated": 0,
            "id": 4228
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c4"
              },
              {
                "name": "KeyInformation",
                "value": "O\\xffb9^i\\xfff7\\xffab\\xffdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
              },
              {
                "name": "KeyInformationClass",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 4229
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c4"
              }
            ],
            "repeated": 0,
            "id": 4230
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrLoadDll",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Flags",
                "value": "0x00000000"
              },
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "BaseAddress",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4231
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlIsStateSeparationEnabled"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77ea61b0"
              }
            ],
            "repeated": 0,
            "id": 4232
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4233
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
              }
            ],
            "repeated": 0,
            "id": 4234
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "AllowTelemetry"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry"
              }
            ],
            "repeated": 0,
            "id": 4235
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 4236
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtQueryLicenseValue",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Name",
                "value": "TelemetryPermission-DefaultLevel"
              },
              {
                "name": "Type",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 4237
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "NtQuerySystemInformation",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemInformationClass",
                "value": "115"
              }
            ],
            "repeated": 0,
            "id": 4238
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "synchronization",
            "api": "NtOpenEvent",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              },
              {
                "name": "EventName",
                "value": "\\KernelObjects\\SystemErrorPortReady"
              }
            ],
            "repeated": 0,
            "id": 4239
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4240
          },
          {
            "timestamp": "2026-04-16 20:00:24,924",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              },
              {
                "name": "Milliseconds",
                "value": "15000"
              }
            ],
            "repeated": 0,
            "id": 4241
          },
          {
            "timestamp": "2026-04-16 20:00:25,002",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 1,
            "id": 4242
          },
          {
            "timestamp": "2026-04-16 20:00:25,143",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER3535.tmp.csv"
              }
            ],
            "repeated": 0,
            "id": 4243
          },
          {
            "timestamp": "2026-04-16 20:00:25,158",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100081",
                "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER3535.tmp.csv"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4244
          },
          {
            "timestamp": "2026-04-16 20:00:25,158",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 4245
          },
          {
            "timestamp": "2026-04-16 20:00:25,158",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "NtQuerySystemInformation",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemInformationClass",
                "value": "115"
              }
            ],
            "repeated": 0,
            "id": 4246
          },
          {
            "timestamp": "2026-04-16 20:00:25,158",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "synchronization",
            "api": "NtOpenEvent",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              },
              {
                "name": "EventName",
                "value": "\\KernelObjects\\SystemErrorPortReady"
              }
            ],
            "repeated": 0,
            "id": 4247
          },
          {
            "timestamp": "2026-04-16 20:00:25,158",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4248
          },
          {
            "timestamp": "2026-04-16 20:00:25,158",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              },
              {
                "name": "Milliseconds",
                "value": "15000"
              }
            ],
            "repeated": 0,
            "id": 4249
          },
          {
            "timestamp": "2026-04-16 20:00:25,158",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 1,
            "id": 4250
          },
          {
            "timestamp": "2026-04-16 20:00:25,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER35C3.tmp.txt"
              }
            ],
            "repeated": 0,
            "id": 4251
          },
          {
            "timestamp": "2026-04-16 20:00:25,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100081",
                "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER35C3.tmp.txt"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "7",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000000"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4252
          },
          {
            "timestamp": "2026-04-16 20:00:25,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 4253
          },
          {
            "timestamp": "2026-04-16 20:00:25,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4254
          },
          {
            "timestamp": "2026-04-16 20:00:25,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000101",
                "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "Software\\Microsoft\\Windows\\Windows Error Reporting"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting"
              }
            ],
            "repeated": 0,
            "id": 4255
          },
          {
            "timestamp": "2026-04-16 20:00:25,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000003c8"
              },
              {
                "name": "ValueName",
                "value": "ForceNativeDump"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceNativeDump"
              }
            ],
            "repeated": 0,
            "id": 4256
          },
          {
            "timestamp": "2026-04-16 20:00:25,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003c8"
              }
            ],
            "repeated": 0,
            "id": 4257
          },
          {
            "timestamp": "2026-04-16 20:00:25,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "misc",
            "api": "RtlSetCurrentTransaction",
            "status": true,
            "return": "0x00000001",
            "arguments": [
              {
                "name": "TransactionHandle",
                "value": "0x00000000"
              }
            ],
            "repeated": 1,
            "id": 4258
          },
          {
            "timestamp": "2026-04-16 20:00:25,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "registry",
            "api": "NtOpenKeyEx",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000000"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000100"
              },
              {
                "name": "ObjectAttributesName",
                "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\NanoCore.exe"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\NanoCore.exe"
              }
            ],
            "repeated": 0,
            "id": 4259
          },
          {
            "timestamp": "2026-04-16 20:00:25,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ec"
              }
            ],
            "repeated": 0,
            "id": 4260
          },
          {
            "timestamp": "2026-04-16 20:00:25,268",
            "thread_id": "4696",
            "caller": "0x10002b73",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000024c"
              }
            ],
            "repeated": 0,
            "id": 4261
          },
          {
            "timestamp": "2026-04-16 20:00:25,268",
            "thread_id": "4696",
            "caller": "0x10001b2c",
            "parentcaller": "0x1000242f",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4262
          },
          {
            "timestamp": "2026-04-16 20:00:25,268",
            "thread_id": "4696",
            "caller": "0x10001b2c",
            "parentcaller": "0x1000242f",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004c8"
              },
              {
                "name": "Milliseconds",
                "value": "10000"
              }
            ],
            "repeated": 0,
            "id": 4263
          },
          {
            "timestamp": "2026-04-16 20:00:25,268",
            "thread_id": "4696",
            "caller": "0x10001b58",
            "parentcaller": "0x1000242f",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4264
          },
          {
            "timestamp": "2026-04-16 20:00:25,268",
            "thread_id": "4696",
            "caller": "0x10001b58",
            "parentcaller": "0x1000242f",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004bc"
              },
              {
                "name": "Milliseconds",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 4265
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "4696",
            "caller": "0x10001b85",
            "parentcaller": "0x1000242f",
            "category": "synchronization",
            "api": "NtReleaseMutant",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004c8"
              }
            ],
            "repeated": 0,
            "id": 4266
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4267
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              },
              {
                "name": "Milliseconds",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4268
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              },
              {
                "name": "Milliseconds",
                "value": "18446744073709551615"
              },
              {
                "name": "Status",
                "value": "Infinite"
              }
            ],
            "repeated": 0,
            "id": 4269
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "GetSystemTimeAsFileTime",
            "status": true,
            "return": "0x00000000",
            "arguments": [],
            "repeated": 0,
            "id": 4270
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              },
              {
                "name": "Milliseconds",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4271
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtWaitForSingleObject",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              },
              {
                "name": "Milliseconds",
                "value": "18446744073709551615"
              },
              {
                "name": "Status",
                "value": "Infinite"
              }
            ],
            "repeated": 0,
            "id": 4272
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4273
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002dc"
              }
            ],
            "repeated": 0,
            "id": 4274
          },
          {
            "timestamp": "2026-04-16 20:00:25,283",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d8"
              }
            ],
            "repeated": 0,
            "id": 4275
          },
          {
            "timestamp": "2026-04-16 20:00:25,330",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002cc"
              }
            ],
            "repeated": 0,
            "id": 4276
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002d4"
              }
            ],
            "repeated": 0,
            "id": 4277
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b8"
              }
            ],
            "repeated": 0,
            "id": 4278
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 4279
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000244"
              }
            ],
            "repeated": 1,
            "id": 4280
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000244"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00110080",
                "pretty_value": "FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4281
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000244"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x96\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00W\\x00E\\x00R\\x002\\x00D\\x00B\\x003\\x00.\\x00t\\x00m\\x00p\\x00.\\x00W\\x00E\\x00R\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00M\\x00e\\x00t\\x00a\\x00d\\x00a\\x00t\\x00a\\x00.\\x00x\\x00m\\x00l\\x00"
              }
            ],
            "repeated": 0,
            "id": 4282
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000023c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4283
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000023c"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4284
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 4285
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000244"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x96\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00W\\x00E\\x00R\\x002\\x00D\\x00B\\x003\\x00.\\x00t\\x00m\\x00p\\x00.\\x00W\\x00E\\x00R\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00M\\x00e\\x00t\\x00a\\x00d\\x00a\\x00t\\x00a\\x00.\\x00x\\x00m\\x00l\\x00"
              }
            ],
            "repeated": 0,
            "id": 4286
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4287
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              }
            ],
            "repeated": 0,
            "id": 4288
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005dae68",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4289
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 4290
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005dade8",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4291
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 4292
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005dad68",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4293
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 4294
          },
          {
            "timestamp": "2026-04-16 20:00:25,346",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4295
          },
          {
            "timestamp": "2026-04-16 20:00:25,361",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtSetInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000244"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
              },
              {
                "name": "FileInformationClass",
                "value": "13",
                "pretty_value": "FileDispositionInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x01"
              }
            ],
            "repeated": 0,
            "id": 4296
          },
          {
            "timestamp": "2026-04-16 20:00:25,361",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000244"
              }
            ],
            "repeated": 0,
            "id": 4297
          },
          {
            "timestamp": "2026-04-16 20:00:25,361",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000244"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00110080",
                "pretty_value": "FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4298
          },
          {
            "timestamp": "2026-04-16 20:00:25,361",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000244"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "n\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00W\\x00E\\x00R\\x003\\x004\\x003\\x00C\\x00.\\x00t\\x00m\\x00p\\x00.\\x00x\\x00m\\x00l\\x00"
              }
            ],
            "repeated": 0,
            "id": 4299
          },
          {
            "timestamp": "2026-04-16 20:00:25,361",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000023c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4300
          },
          {
            "timestamp": "2026-04-16 20:00:25,361",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000023c"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4301
          },
          {
            "timestamp": "2026-04-16 20:00:25,361",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 4302
          },
          {
            "timestamp": "2026-04-16 20:00:25,361",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000244"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "n\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00W\\x00E\\x00R\\x003\\x004\\x003\\x00C\\x00.\\x00t\\x00m\\x00p\\x00.\\x00x\\x00m\\x00l\\x00"
              }
            ],
            "repeated": 0,
            "id": 4303
          },
          {
            "timestamp": "2026-04-16 20:00:25,361",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4304
          },
          {
            "timestamp": "2026-04-16 20:00:25,361",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml"
              }
            ],
            "repeated": 0,
            "id": 4305
          },
          {
            "timestamp": "2026-04-16 20:00:25,361",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005da8a8",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4306
          },
          {
            "timestamp": "2026-04-16 20:00:25,361",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 4307
          },
          {
            "timestamp": "2026-04-16 20:00:25,361",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005da9a8",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4308
          },
          {
            "timestamp": "2026-04-16 20:00:25,361",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 4309
          },
          {
            "timestamp": "2026-04-16 20:00:25,361",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005daea8",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4310
          },
          {
            "timestamp": "2026-04-16 20:00:25,361",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 4311
          },
          {
            "timestamp": "2026-04-16 20:00:25,361",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4312
          },
          {
            "timestamp": "2026-04-16 20:00:25,377",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtSetInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000244"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml"
              },
              {
                "name": "FileInformationClass",
                "value": "13",
                "pretty_value": "FileDispositionInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x01"
              }
            ],
            "repeated": 0,
            "id": 4313
          },
          {
            "timestamp": "2026-04-16 20:00:25,377",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000244"
              }
            ],
            "repeated": 0,
            "id": 4314
          },
          {
            "timestamp": "2026-04-16 20:00:25,377",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000244"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00110080",
                "pretty_value": "FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER3535.tmp.csv"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4315
          },
          {
            "timestamp": "2026-04-16 20:00:25,377",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000244"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER3535.tmp.csv"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "n\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00W\\x00E\\x00R\\x003\\x005\\x003\\x005\\x00.\\x00t\\x00m\\x00p\\x00.\\x00c\\x00s\\x00v\\x00"
              }
            ],
            "repeated": 0,
            "id": 4316
          },
          {
            "timestamp": "2026-04-16 20:00:25,377",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000023c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4317
          },
          {
            "timestamp": "2026-04-16 20:00:25,377",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000023c"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4318
          },
          {
            "timestamp": "2026-04-16 20:00:25,377",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 4319
          },
          {
            "timestamp": "2026-04-16 20:00:25,377",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000244"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER3535.tmp.csv"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "n\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00W\\x00E\\x00R\\x003\\x005\\x003\\x005\\x00.\\x00t\\x00m\\x00p\\x00.\\x00c\\x00s\\x00v\\x00"
              }
            ],
            "repeated": 0,
            "id": 4320
          },
          {
            "timestamp": "2026-04-16 20:00:25,377",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4321
          },
          {
            "timestamp": "2026-04-16 20:00:25,377",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER3535.tmp.csv"
              }
            ],
            "repeated": 0,
            "id": 4322
          },
          {
            "timestamp": "2026-04-16 20:00:25,377",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005dad68",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4323
          },
          {
            "timestamp": "2026-04-16 20:00:25,377",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 4324
          },
          {
            "timestamp": "2026-04-16 20:00:25,377",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005daaa8",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4325
          },
          {
            "timestamp": "2026-04-16 20:00:25,377",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 4326
          },
          {
            "timestamp": "2026-04-16 20:00:25,377",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005daca8",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4327
          },
          {
            "timestamp": "2026-04-16 20:00:25,377",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 4328
          },
          {
            "timestamp": "2026-04-16 20:00:25,377",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4329
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtSetInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000244"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER3535.tmp.csv"
              },
              {
                "name": "FileInformationClass",
                "value": "13",
                "pretty_value": "FileDispositionInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x01"
              }
            ],
            "repeated": 0,
            "id": 4330
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000244"
              }
            ],
            "repeated": 0,
            "id": 4331
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000244"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00110080",
                "pretty_value": "FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER35C3.tmp.txt"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4332
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000244"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER35C3.tmp.txt"
              },
              {
                "name": "FileInformationClass",
                "value": "9",
                "pretty_value": "FileNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "n\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00W\\x00E\\x00R\\x003\\x005\\x00C\\x003\\x00.\\x00t\\x00m\\x00p\\x00.\\x00t\\x00x\\x00t\\x00"
              }
            ],
            "repeated": 0,
            "id": 4333
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtCreateFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000023c"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00100080",
                "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE"
              },
              {
                "name": "FileName",
                "value": "\\??\\MountPointManager"
              },
              {
                "name": "CreateDisposition",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              },
              {
                "name": "ShareAccess",
                "value": "3",
                "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE"
              },
              {
                "name": "FileAttributes",
                "value": "0x00000080",
                "pretty_value": "FILE_ATTRIBUTE_NORMAL"
              },
              {
                "name": "ExistedBefore",
                "value": "yes"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4334
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "device",
            "api": "NtDeviceIoControlFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x0000023c"
              },
              {
                "name": "HandleName",
                "value": "\\Device\\MountPointManager"
              },
              {
                "name": "IoControlCode",
                "value": "0x006d0030",
                "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH"
              },
              {
                "name": "InputBuffer",
                "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\x00\\x00"
              },
              {
                "name": "OutputBuffer",
                "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4335
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 4336
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000244"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER35C3.tmp.txt"
              },
              {
                "name": "FileInformationClass",
                "value": "48",
                "pretty_value": "FileNetworkPhysicalNameInformation"
              },
              {
                "name": "FileInformation",
                "value": "n\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00W\\x00E\\x00R\\x003\\x005\\x00C\\x003\\x00.\\x00t\\x00m\\x00p\\x00.\\x00t\\x00x\\x00t\\x00"
              }
            ],
            "repeated": 0,
            "id": 4337
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x00\\x80\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4338
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtQueryAttributesFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER35C3.tmp.txt"
              }
            ],
            "repeated": 0,
            "id": 4339
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005dac68",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4340
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 4341
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005da828",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4342
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 4343
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "FindFirstFileExW",
            "status": true,
            "return": "0x005da828",
            "arguments": [
              {
                "name": "FileName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp"
              },
              {
                "name": "FirstCreateTimeLow",
                "value": "0xc867053b"
              },
              {
                "name": "FirstCreateTimeHigh",
                "value": "0x01d5acde"
              }
            ],
            "repeated": 0,
            "id": 4344
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000023c"
              }
            ],
            "repeated": 0,
            "id": 4345
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "process",
            "api": "NtSetInformationProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessInformationClass",
                "value": "12"
              },
              {
                "name": "ProcessInformation",
                "value": "\\x01\\x00\\x00\\x00"
              }
            ],
            "repeated": 0,
            "id": 4346
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "filesystem",
            "api": "NtSetInformationFile",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileHandle",
                "value": "0x00000244"
              },
              {
                "name": "HandleName",
                "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER35C3.tmp.txt"
              },
              {
                "name": "FileInformationClass",
                "value": "13",
                "pretty_value": "FileDispositionInformation"
              },
              {
                "name": "FileInformation",
                "value": "\\x01"
              }
            ],
            "repeated": 0,
            "id": 4347
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000244"
              }
            ],
            "repeated": 0,
            "id": 4348
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000230"
              }
            ],
            "repeated": 0,
            "id": 4349
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000218"
              }
            ],
            "repeated": 0,
            "id": 4350
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000298"
              }
            ],
            "repeated": 0,
            "id": 4351
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x10002bb7",
            "parentcaller": "0x10002bd7",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000294"
              }
            ],
            "repeated": 0,
            "id": 4352
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x77eab5a6",
            "parentcaller": "0x76acfa30",
            "category": "threading",
            "api": "NtQueryInformationThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0xfffffffe"
              },
              {
                "name": "ThreadInformationClass",
                "value": "12"
              },
              {
                "name": "ThreadInformation",
                "value": "\\x00\\x00\\x00\\x00"
              },
              {
                "name": "ThreadId",
                "value": "4696"
              }
            ],
            "repeated": 0,
            "id": 4353
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x7726269a",
            "parentcaller": "0x77c7efaa",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000380"
              }
            ],
            "repeated": 0,
            "id": 4354
          },
          {
            "timestamp": "2026-04-16 20:00:25,393",
            "thread_id": "4696",
            "caller": "0x7726269a",
            "parentcaller": "0x77c7efb3",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003a8"
              }
            ],
            "repeated": 0,
            "id": 4355
          },
          {
            "timestamp": "2026-04-16 20:00:25,408",
            "thread_id": "4696",
            "caller": "0x7726f231",
            "parentcaller": "0x736e2c18",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "KERNEL32.DLL"
              },
              {
                "name": "ModuleHandle",
                "value": "0x76ab0000"
              }
            ],
            "repeated": 0,
            "id": 4356
          },
          {
            "timestamp": "2026-04-16 20:00:25,408",
            "thread_id": "4696",
            "caller": "0x774e45ae",
            "parentcaller": "0x774e442c",
            "category": "misc",
            "api": "GetKeyboardLayout",
            "status": true,
            "return": "0x04190419",
            "arguments": [
              {
                "name": "KeyboardLayout",
                "value": "0x00000419"
              },
              {
                "name": "LanguageName",
                "value": "Russian"
              }
            ],
            "repeated": 0,
            "id": 4357
          },
          {
            "timestamp": "2026-04-16 20:00:25,408",
            "thread_id": "4696",
            "caller": "0x77eab5c9",
            "parentcaller": "0x76acfa30",
            "category": "threading",
            "api": "NtTerminateThread",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ThreadHandle",
                "value": "0x00000000"
              },
              {
                "name": "ExitStatus",
                "value": "0x00000000"
              },
              {
                "name": "ThreadId",
                "value": "0"
              },
              {
                "name": "ProcessId",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4358
          },
          {
            "timestamp": "2026-04-16 20:00:25,408",
            "thread_id": "3296",
            "caller": "0x10002cc2",
            "parentcaller": "0x10002f39",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000004b8"
              }
            ],
            "repeated": 0,
            "id": 4359
          },
          {
            "timestamp": "2026-04-16 20:00:25,408",
            "thread_id": "3296",
            "caller": "0x1000224c",
            "parentcaller": "0x10002f4e",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x02220000"
              },
              {
                "name": "RegionSize",
                "value": "0x0000a000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4360
          },
          {
            "timestamp": "2026-04-16 20:00:25,408",
            "thread_id": "3296",
            "caller": "0x7726f231",
            "parentcaller": "0x736e16f1",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": false,
            "return": "0xffffffffc0000135",
            "pretty_return": "DLL_NOT_FOUND",
            "arguments": [
              {
                "name": "FileName",
                "value": "mscoree.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x00000020"
              }
            ],
            "repeated": 0,
            "id": 4361
          },
          {
            "timestamp": "2026-04-16 20:00:25,408",
            "thread_id": "3296",
            "caller": "0x77e9d74d",
            "parentcaller": "0x76ad4113",
            "category": "process",
            "api": "NtTerminateProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0x00000000"
              },
              {
                "name": "ExitCode",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 4362
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000388"
              }
            ],
            "repeated": 0,
            "id": 4363
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77270c75",
            "parentcaller": "0x7746d520",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03cb0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4364
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726269a",
            "parentcaller": "0x7746d537",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000368"
              }
            ],
            "repeated": 0,
            "id": 4365
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f0"
              }
            ],
            "repeated": 0,
            "id": 4366
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000330"
              }
            ],
            "repeated": 0,
            "id": 4367
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726074f",
            "parentcaller": "0x75364ce2",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4368
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x772696ea",
            "parentcaller": "0x75364d4e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 4369
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002fc"
              }
            ],
            "repeated": 0,
            "id": 4370
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000300"
              }
            ],
            "repeated": 0,
            "id": 4371
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000304"
              }
            ],
            "repeated": 0,
            "id": 4372
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000308"
              }
            ],
            "repeated": 0,
            "id": 4373
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000030c"
              }
            ],
            "repeated": 0,
            "id": 4374
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000310"
              }
            ],
            "repeated": 0,
            "id": 4375
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000318"
              }
            ],
            "repeated": 0,
            "id": 4376
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000320"
              }
            ],
            "repeated": 0,
            "id": 4377
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000324"
              }
            ],
            "repeated": 0,
            "id": 4378
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000328"
              }
            ],
            "repeated": 0,
            "id": 4379
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000031c"
              }
            ],
            "repeated": 0,
            "id": 4380
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f8"
              }
            ],
            "repeated": 0,
            "id": 4381
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002f4"
              }
            ],
            "repeated": 0,
            "id": 4382
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726074f",
            "parentcaller": "0x756d7331",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4383
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x772696ea",
            "parentcaller": "0x756d7342",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 4384
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002bc"
              }
            ],
            "repeated": 0,
            "id": 4385
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002c0"
              }
            ],
            "repeated": 0,
            "id": 4386
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726269a",
            "parentcaller": "0x7619c8ad",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002ac"
              }
            ],
            "repeated": 0,
            "id": 4387
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726269a",
            "parentcaller": "0x7619c8bf",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002a8"
              }
            ],
            "repeated": 0,
            "id": 4388
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726269a",
            "parentcaller": "0x7619c8ad",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b4"
              }
            ],
            "repeated": 0,
            "id": 4389
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726269a",
            "parentcaller": "0x7619c8bf",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002b0"
              }
            ],
            "repeated": 0,
            "id": 4390
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002a0"
              }
            ],
            "repeated": 0,
            "id": 4391
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000002a4"
              }
            ],
            "repeated": 0,
            "id": 4392
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000228"
              }
            ],
            "repeated": 0,
            "id": 4393
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000210"
              }
            ],
            "repeated": 0,
            "id": 4394
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726074f",
            "parentcaller": "0x761b543b",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4395
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x772696ea",
            "parentcaller": "0x761b44ae",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 4396
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726269a",
            "parentcaller": "0x7748d230",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000029c"
              }
            ],
            "repeated": 0,
            "id": 4397
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77257f8b",
            "parentcaller": "0x705392fc",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000280"
              }
            ],
            "repeated": 0,
            "id": 4398
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77257f8b",
            "parentcaller": "0x7053930c",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000284"
              }
            ],
            "repeated": 0,
            "id": 4399
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726269a",
            "parentcaller": "0x70531adb",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000028c"
              }
            ],
            "repeated": 0,
            "id": 4400
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726269a",
            "parentcaller": "0x70531af2",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000290"
              }
            ],
            "repeated": 0,
            "id": 4401
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726269a",
            "parentcaller": "0x70531b09",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000288"
              }
            ],
            "repeated": 0,
            "id": 4402
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726074f",
            "parentcaller": "0x70555bb3",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4403
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x772696ea",
            "parentcaller": "0x70555bc4",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 4404
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e6f695",
            "parentcaller": "0x77e87aa4",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x005ea000"
              },
              {
                "name": "RegionSize",
                "value": "0x00002000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4405
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x70561a6e",
            "parentcaller": "0x705629f0",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000008",
                "pretty_value": "KEY_ENUMERATE_SUB_KEYS"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList"
              }
            ],
            "repeated": 0,
            "id": 4406
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x70562a6f",
            "parentcaller": "0x70562ce6",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "Index",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4407
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x70562a6f",
            "parentcaller": "0x70562ce6",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "Index",
                "value": "1"
              }
            ],
            "repeated": 0,
            "id": 4408
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x70562a6f",
            "parentcaller": "0x70562ce6",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "Index",
                "value": "2"
              }
            ],
            "repeated": 0,
            "id": 4409
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x70562a6f",
            "parentcaller": "0x70562ce6",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "Index",
                "value": "3"
              }
            ],
            "repeated": 0,
            "id": 4410
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x70561af0",
            "parentcaller": "0x70562ab8",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000290"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000288"
              },
              {
                "name": "ObjectAttributesName",
                "value": "S-1-5-21-3749840076-4109591986-3192690632-1000"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000"
              }
            ],
            "repeated": 0,
            "id": 4411
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7056172a",
            "parentcaller": "0x70562acc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000023",
            "pretty_return": "BUFFER_TOO_SMALL",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000290"
              },
              {
                "name": "ValueName",
                "value": "ProfileImagePath"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000\\ProfileImagePath"
              }
            ],
            "repeated": 0,
            "id": 4412
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x705617c0",
            "parentcaller": "0x70562acc",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000290"
              },
              {
                "name": "ValueName",
                "value": "ProfileImagePath"
              },
              {
                "name": "Type",
                "value": "2",
                "pretty_value": "REG_EXPAND_SZ"
              },
              {
                "name": "Information",
                "value": "C:\\Users\\cape"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000\\ProfileImagePath"
              }
            ],
            "repeated": 0,
            "id": 4413
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x70562a11",
            "parentcaller": "0x70562ce6",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000290"
              }
            ],
            "repeated": 0,
            "id": 4414
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x70562a6f",
            "parentcaller": "0x70562ce6",
            "category": "registry",
            "api": "NtEnumerateKey",
            "status": false,
            "return": "0xffffffff8000001a",
            "pretty_return": "NO_MORE_ENTRIES",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "Index",
                "value": "4"
              }
            ],
            "repeated": 0,
            "id": 4415
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x70562b89",
            "parentcaller": "0x70562ce6",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000288"
              }
            ],
            "repeated": 0,
            "id": 4416
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x70561a6e",
            "parentcaller": "0x70563e29",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows\\CurrentVersion"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion"
              }
            ],
            "repeated": 0,
            "id": 4417
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7056172a",
            "parentcaller": "0x70563e69",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000023",
            "pretty_return": "BUFFER_TOO_SMALL",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "ValueName",
                "value": "CommonFilesDir"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir"
              }
            ],
            "repeated": 0,
            "id": 4418
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x705617c0",
            "parentcaller": "0x70563e69",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "ValueName",
                "value": "CommonFilesDir"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "C:\\Program Files (x86)\\Common Files"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir"
              }
            ],
            "repeated": 0,
            "id": 4419
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7056172a",
            "parentcaller": "0x70563e69",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000023",
            "pretty_return": "BUFFER_TOO_SMALL",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "ValueName",
                "value": "CommonFilesDir (x86)"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir (x86)"
              }
            ],
            "repeated": 0,
            "id": 4420
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x705617c0",
            "parentcaller": "0x70563e69",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "ValueName",
                "value": "CommonFilesDir (x86)"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "C:\\Program Files (x86)\\Common Files"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir (x86)"
              }
            ],
            "repeated": 0,
            "id": 4421
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7056172a",
            "parentcaller": "0x70563e69",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000023",
            "pretty_return": "BUFFER_TOO_SMALL",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "ValueName",
                "value": "ProgramFilesDir"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir"
              }
            ],
            "repeated": 0,
            "id": 4422
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x705617c0",
            "parentcaller": "0x70563e69",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "ValueName",
                "value": "ProgramFilesDir"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "C:\\Program Files (x86)"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir"
              }
            ],
            "repeated": 0,
            "id": 4423
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7056172a",
            "parentcaller": "0x70563e69",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000023",
            "pretty_return": "BUFFER_TOO_SMALL",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "ValueName",
                "value": "ProgramFilesDir (x86)"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)"
              }
            ],
            "repeated": 0,
            "id": 4424
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x705617c0",
            "parentcaller": "0x70563e69",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "ValueName",
                "value": "ProgramFilesDir (x86)"
              },
              {
                "name": "Type",
                "value": "1",
                "pretty_value": "REG_SZ"
              },
              {
                "name": "Information",
                "value": "C:\\Program Files (x86)"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)"
              }
            ],
            "repeated": 0,
            "id": 4425
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7056421a",
            "parentcaller": "0x70562780",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000288"
              }
            ],
            "repeated": 0,
            "id": 4426
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x70561a6e",
            "parentcaller": "0x705642ee",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00000001",
                "pretty_value": "KEY_QUERY_VALUE"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList"
              }
            ],
            "repeated": 0,
            "id": 4427
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7056172a",
            "parentcaller": "0x70561881",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000023",
            "pretty_return": "BUFFER_TOO_SMALL",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "ValueName",
                "value": "ProgramData"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData"
              }
            ],
            "repeated": 0,
            "id": 4428
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x705617c0",
            "parentcaller": "0x70561881",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "ValueName",
                "value": "ProgramData"
              },
              {
                "name": "Type",
                "value": "2",
                "pretty_value": "REG_EXPAND_SZ"
              },
              {
                "name": "Information",
                "value": "%SystemDrive%\\ProgramData"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData"
              }
            ],
            "repeated": 0,
            "id": 4429
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x70564bf8",
            "parentcaller": "0x705618b7",
            "category": "misc",
            "api": "NtQuerySystemInformation",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemInformationClass",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              }
            ],
            "repeated": 0,
            "id": 4430
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7056172a",
            "parentcaller": "0x70561881",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000023",
            "pretty_return": "BUFFER_TOO_SMALL",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "ValueName",
                "value": "Public"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\Public"
              }
            ],
            "repeated": 0,
            "id": 4431
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x705617c0",
            "parentcaller": "0x70561881",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x00000288"
              },
              {
                "name": "ValueName",
                "value": "Public"
              },
              {
                "name": "Type",
                "value": "2",
                "pretty_value": "REG_EXPAND_SZ"
              },
              {
                "name": "Information",
                "value": "%SystemDrive%\\Users\\Public"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\Public"
              }
            ],
            "repeated": 0,
            "id": 4432
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x70564bf8",
            "parentcaller": "0x705618b7",
            "category": "misc",
            "api": "NtQuerySystemInformation",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "SystemInformationClass",
                "value": "1",
                "pretty_value": "FILE_OPEN"
              }
            ],
            "repeated": 0,
            "id": 4433
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7056485c",
            "parentcaller": "0x70562780",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000288"
              }
            ],
            "repeated": 0,
            "id": 4434
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e6f695",
            "parentcaller": "0x77e87aa4",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x005e5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4435
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e6f695",
            "parentcaller": "0x77e87aa4",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x005f0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4436
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e6fb34",
            "parentcaller": "0x77e6f81b",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x005f0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00005000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4437
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e6fb34",
            "parentcaller": "0x77e6f81b",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x005e5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "FreeType",
                "value": "0x00004000"
              }
            ],
            "repeated": 0,
            "id": 4438
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000278"
              }
            ],
            "repeated": 0,
            "id": 4439
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000274"
              }
            ],
            "repeated": 0,
            "id": 4440
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000270"
              }
            ],
            "repeated": 0,
            "id": 4441
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e69e97",
            "parentcaller": "0x704f8f27",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000250"
              }
            ],
            "repeated": 0,
            "id": 4442
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e69e9f",
            "parentcaller": "0x704f8f27",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000254"
              }
            ],
            "repeated": 0,
            "id": 4443
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e69e97",
            "parentcaller": "0x704f8f40",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000258"
              }
            ],
            "repeated": 0,
            "id": 4444
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e69e9f",
            "parentcaller": "0x704f8f40",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000025c"
              }
            ],
            "repeated": 0,
            "id": 4445
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e69e97",
            "parentcaller": "0x704f74ec",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000260"
              }
            ],
            "repeated": 0,
            "id": 4446
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e69e9f",
            "parentcaller": "0x704f74ec",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000264"
              }
            ],
            "repeated": 0,
            "id": 4447
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e69e97",
            "parentcaller": "0x704f747c",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000268"
              }
            ],
            "repeated": 0,
            "id": 4448
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e69e9f",
            "parentcaller": "0x704f747c",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000026c"
              }
            ],
            "repeated": 0,
            "id": 4449
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000248"
              }
            ],
            "repeated": 0,
            "id": 4450
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77270c75",
            "parentcaller": "0x76fad497",
            "category": "process",
            "api": "NtUnmapViewOfSectionEx",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x039f0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00001000"
              },
              {
                "name": "Flags",
                "value": "0"
              }
            ],
            "repeated": 0,
            "id": 4451
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726269a",
            "parentcaller": "0x76fad4a0",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000032c"
              }
            ],
            "repeated": 0,
            "id": 4452
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726074f",
            "parentcaller": "0x76f85f09",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4453
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x772696ea",
            "parentcaller": "0x76f85eee",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 4454
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726269a",
            "parentcaller": "0x76da9bee",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000240"
              }
            ],
            "repeated": 0,
            "id": 4455
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000238"
              }
            ],
            "repeated": 0,
            "id": 4456
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000234"
              }
            ],
            "repeated": 0,
            "id": 4457
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000208"
              }
            ],
            "repeated": 0,
            "id": 4458
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000220"
              }
            ],
            "repeated": 0,
            "id": 4459
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e6fb34",
            "parentcaller": "0x77e6fa92",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x039d0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00008000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 4460
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e6fb34",
            "parentcaller": "0x77e6faf3",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x04140000"
              },
              {
                "name": "RegionSize",
                "value": "0x00100000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 4461
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e6fb34",
            "parentcaller": "0x77e6faf3",
            "category": "process",
            "api": "NtFreeVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x03cf0000"
              },
              {
                "name": "RegionSize",
                "value": "0x00010000"
              },
              {
                "name": "FreeType",
                "value": "0x00008000"
              }
            ],
            "repeated": 0,
            "id": 4462
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000020c"
              }
            ],
            "repeated": 0,
            "id": 4463
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726074f",
            "parentcaller": "0x705b8d93",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4464
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x772696ea",
            "parentcaller": "0x705b8dfe",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 4465
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e69e97",
            "parentcaller": "0x7515e78e",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000001cc"
              }
            ],
            "repeated": 0,
            "id": 4466
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e69e9f",
            "parentcaller": "0x7515e78e",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000001d0"
              }
            ],
            "repeated": 0,
            "id": 4467
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000001c8"
              }
            ],
            "repeated": 0,
            "id": 4468
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x750a2ac1",
            "parentcaller": "0x77eb2a56",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000001bc"
              }
            ],
            "repeated": 0,
            "id": 4469
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000001a0"
              }
            ],
            "repeated": 0,
            "id": 4470
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000001a4"
              }
            ],
            "repeated": 0,
            "id": 4471
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000019c"
              }
            ],
            "repeated": 0,
            "id": 4472
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000184"
              }
            ],
            "repeated": 0,
            "id": 4473
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000188"
              }
            ],
            "repeated": 0,
            "id": 4474
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000018c"
              }
            ],
            "repeated": 0,
            "id": 4475
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000190"
              }
            ],
            "repeated": 0,
            "id": 4476
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000194"
              }
            ],
            "repeated": 0,
            "id": 4477
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000198"
              }
            ],
            "repeated": 0,
            "id": 4478
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e8ff5f",
            "parentcaller": "0x77e8fe54",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77122000"
              },
              {
                "name": "ModuleName",
                "value": "ole32.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4479
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e8ff94",
            "parentcaller": "0x77e8fe54",
            "category": "process",
            "api": "NtProtectVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x77122000"
              },
              {
                "name": "ModuleName",
                "value": "ole32.dll"
              },
              {
                "name": "NumberOfBytesProtected",
                "value": "0x00001000"
              },
              {
                "name": "MemoryType",
                "value": "0x00000000"
              },
              {
                "name": "NewAccessProtection",
                "value": "0x00000002",
                "pretty_value": "PAGE_READONLY"
              },
              {
                "name": "OldAccessProtection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4480
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000017c"
              }
            ],
            "repeated": 0,
            "id": 4481
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000180"
              }
            ],
            "repeated": 0,
            "id": 4482
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000178"
              }
            ],
            "repeated": 0,
            "id": 4483
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726074f",
            "parentcaller": "0x77088581",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4484
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x772696ea",
            "parentcaller": "0x77088592",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 4485
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e6f695",
            "parentcaller": "0x77e842a8",
            "category": "process",
            "api": "NtAllocateVirtualMemory",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "BaseAddress",
                "value": "0x005e5000"
              },
              {
                "name": "RegionSize",
                "value": "0x00004000"
              },
              {
                "name": "Protection",
                "value": "0x00000004",
                "pretty_value": "PAGE_READWRITE"
              },
              {
                "name": "StackPivoted",
                "value": "no"
              }
            ],
            "repeated": 0,
            "id": 4486
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000015c"
              }
            ],
            "repeated": 0,
            "id": 4487
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000160"
              }
            ],
            "repeated": 0,
            "id": 4488
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000164"
              }
            ],
            "repeated": 0,
            "id": 4489
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000168"
              }
            ],
            "repeated": 0,
            "id": 4490
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000016c"
              }
            ],
            "repeated": 0,
            "id": 4491
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000174"
              }
            ],
            "repeated": 0,
            "id": 4492
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000170"
              }
            ],
            "repeated": 0,
            "id": 4493
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000013c"
              }
            ],
            "repeated": 0,
            "id": 4494
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000140"
              }
            ],
            "repeated": 0,
            "id": 4495
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000138"
              }
            ],
            "repeated": 0,
            "id": 4496
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000390"
              }
            ],
            "repeated": 0,
            "id": 4497
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726269a",
            "parentcaller": "0x77bed111",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000134"
              }
            ],
            "repeated": 0,
            "id": 4498
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77257f8b",
            "parentcaller": "0x77becf49",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x0000012c"
              }
            ],
            "repeated": 0,
            "id": 4499
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77257f8b",
            "parentcaller": "0x77becf58",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000130"
              }
            ],
            "repeated": 0,
            "id": 4500
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x7726269a",
            "parentcaller": "0x77bed111",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000128"
              }
            ],
            "repeated": 0,
            "id": 4501
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77257f8b",
            "parentcaller": "0x77becf49",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000124"
              }
            ],
            "repeated": 0,
            "id": 4502
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77257f8b",
            "parentcaller": "0x77becf58",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000120"
              }
            ],
            "repeated": 0,
            "id": 4503
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77257f8b",
            "parentcaller": "0x77c6f495",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003b8"
              }
            ],
            "repeated": 0,
            "id": 4504
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77257f8b",
            "parentcaller": "0x77c6f495",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000003b4"
              }
            ],
            "repeated": 0,
            "id": 4505
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000104"
              }
            ],
            "repeated": 0,
            "id": 4506
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000108"
              }
            ],
            "repeated": 0,
            "id": 4507
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000000e8"
              }
            ],
            "repeated": 0,
            "id": 4508
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000000ec"
              }
            ],
            "repeated": 0,
            "id": 4509
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000000f0"
              }
            ],
            "repeated": 0,
            "id": 4510
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x76882a84",
            "parentcaller": "0x7687e061",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000000f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"
              }
            ],
            "repeated": 0,
            "id": 4511
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x76882ac2",
            "parentcaller": "0x7687e061",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000000f0"
              },
              {
                "name": "ValueName",
                "value": "DisableMetaFiles"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
              }
            ],
            "repeated": 0,
            "id": 4512
          },
          {
            "timestamp": "2026-04-16 20:00:25,689",
            "thread_id": "3296",
            "caller": "0x76882aed",
            "parentcaller": "0x7687e061",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000000f0"
              }
            ],
            "repeated": 0,
            "id": 4513
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3296",
            "caller": "0x76882b16",
            "parentcaller": "0x7687e061",
            "category": "registry",
            "api": "NtOpenKey",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000000f0"
              },
              {
                "name": "DesiredAccess",
                "value": "0x00020019",
                "pretty_value": "KEY_READ"
              },
              {
                "name": "ObjectAttributesHandle",
                "value": "0x00000000"
              },
              {
                "name": "ObjectAttributesName",
                "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"
              },
              {
                "name": "ObjectAttributes",
                "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"
              }
            ],
            "repeated": 0,
            "id": 4514
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3296",
            "caller": "0x76882b51",
            "parentcaller": "0x7687e061",
            "category": "registry",
            "api": "NtQueryValueKey",
            "status": false,
            "return": "0xffffffffc0000034",
            "pretty_return": "OBJECT_NAME_NOT_FOUND",
            "arguments": [
              {
                "name": "KeyHandle",
                "value": "0x000000f0"
              },
              {
                "name": "ValueName",
                "value": "DisableUmpdBufferSizeCheck"
              },
              {
                "name": "FullName",
                "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck"
              }
            ],
            "repeated": 0,
            "id": 4515
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3296",
            "caller": "0x76882b83",
            "parentcaller": "0x7687e061",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000000f0"
              }
            ],
            "repeated": 0,
            "id": 4516
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3296",
            "caller": "0x7726074f",
            "parentcaller": "0x7687f391",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4517
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3296",
            "caller": "0x772696ea",
            "parentcaller": "0x7687f3a2",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 4518
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000000e4"
              }
            ],
            "repeated": 0,
            "id": 4519
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000000e0"
              }
            ],
            "repeated": 0,
            "id": 4520
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000000dc"
              }
            ],
            "repeated": 0,
            "id": 4521
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3296",
            "caller": "0x7726074f",
            "parentcaller": "0x76944a0a",
            "category": "system",
            "api": "LdrGetDllHandle",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "FileName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              }
            ],
            "repeated": 0,
            "id": 4522
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3296",
            "caller": "0x772696ea",
            "parentcaller": "0x76943b5e",
            "category": "system",
            "api": "LdrGetProcedureAddressForCaller",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ModuleName",
                "value": "ntdll.dll"
              },
              {
                "name": "ModuleHandle",
                "value": "0x77e40000"
              },
              {
                "name": "FunctionName",
                "value": "RtlDllShutdownInProgress"
              },
              {
                "name": "Ordinal",
                "value": "0"
              },
              {
                "name": "FunctionAddress",
                "value": "0x77e9f5a0"
              }
            ],
            "repeated": 0,
            "id": 4523
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000001dc"
              }
            ],
            "repeated": 0,
            "id": 4524
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99a8a",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000000d8"
              }
            ],
            "repeated": 0,
            "id": 4525
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x00000090"
              }
            ],
            "repeated": 0,
            "id": 4526
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000000a4"
              }
            ],
            "repeated": 0,
            "id": 4527
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3296",
            "caller": "0x77e99b53",
            "parentcaller": "0x77e99ad5",
            "category": "system",
            "api": "NtClose",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "Handle",
                "value": "0x000000a8"
              }
            ],
            "repeated": 0,
            "id": 4528
          },
          {
            "timestamp": "2026-04-16 20:00:25,705",
            "thread_id": "3296",
            "caller": "0x77e9d79d",
            "parentcaller": "0x76ad4113",
            "category": "process",
            "api": "NtTerminateProcess",
            "status": true,
            "return": "0x00000000",
            "arguments": [
              {
                "name": "ProcessHandle",
                "value": "0xffffffff"
              },
              {
                "name": "ExitCode",
                "value": "0x00000000"
              }
            ],
            "repeated": 0,
            "id": 4529
          }
        ],
        "threads": [
          "3296",
          "6988",
          "5372",
          "6880",
          "2884",
          "4696",
          "7760",
          "6936"
        ],
        "environ": {
          "UserName": "cape",
          "ComputerName": "DESKTOP-PC01",
          "WindowsPath": "C:\\Windows",
          "TempPath": "C:\\Users\\cape\\AppData\\Local\\Temp\\",
          "CommandLine": "dw20.exe -x -s 1208",
          "RegisteredOwner": "",
          "RegisteredOrganization": "",
          "ProductName": "",
          "SystemVolumeSerialNumber": "7c6d-8d48",
          "SystemVolumeGUID": "c48439d1-0000-0000-0000-100000000000",
          "MachineGUID": "",
          "MainExeBase": "0x10000000",
          "MainExeSize": "0x00009000",
          "Bitness": "32-bit"
        },
        "file_activities": {
          "read_files": [],
          "write_files": [],
          "delete_files": []
        }
      }
    ],
    "anomaly": [],
    "processtree": [
      {
        "name": "NanoCore.exe",
        "pid": 7684,
        "parent_id": 7304,
        "module_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "children": [
          {
            "name": "dw20.exe",
            "pid": 3832,
            "parent_id": 7684,
            "module_path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\dw20.exe",
            "children": [],
            "threads": [
              "3296",
              "6988",
              "5372",
              "6880",
              "2884",
              "4696",
              "7760",
              "6936"
            ],
            "environ": {
              "UserName": "cape",
              "ComputerName": "DESKTOP-PC01",
              "WindowsPath": "C:\\Windows",
              "TempPath": "C:\\Users\\cape\\AppData\\Local\\Temp\\",
              "CommandLine": "dw20.exe -x -s 1208",
              "RegisteredOwner": "",
              "RegisteredOrganization": "",
              "ProductName": "",
              "SystemVolumeSerialNumber": "7c6d-8d48",
              "SystemVolumeGUID": "c48439d1-0000-0000-0000-100000000000",
              "MachineGUID": "",
              "MainExeBase": "0x10000000",
              "MainExeSize": "0x00009000",
              "Bitness": "32-bit"
            }
          }
        ],
        "threads": [
          "4344",
          "7688",
          "1168",
          "5476",
          "176",
          "6276",
          "6048",
          "5932",
          "3964",
          "7484",
          "3172"
        ],
        "environ": {
          "UserName": "cape",
          "ComputerName": "DESKTOP-PC01",
          "WindowsPath": "C:\\Windows",
          "TempPath": "C:\\Users\\cape\\AppData\\Local\\Temp\\",
          "CommandLine": "\"C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe\" ",
          "RegisteredOwner": "",
          "RegisteredOrganization": "",
          "ProductName": "",
          "SystemVolumeSerialNumber": "7c6d-8d48",
          "SystemVolumeGUID": "c48439d1-0000-0000-0000-100000000000",
          "MachineGUID": "",
          "MainExeBase": "0x00b10000",
          "MainExeSize": "0x00168000",
          "Bitness": "32-bit"
        }
      }
    ],
    "summary": {
      "files": [
        "C:\\Windows\\System32\\MSCOREE.DLL.local",
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\*",
        "C:\\Windows\\Microsoft.NET\\Framework\\v1.0.3705\\clr.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\v1.0.3705\\mscorwks.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\v1.1.4322\\clr.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\v1.1.4322\\mscorwks.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\clr.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll",
        "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe.config",
        "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe",
        "C:\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\\msvcr80.dll",
        "C:\\Windows",
        "C:\\Windows\\WinSxS",
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
        "C:\\Users\\cape\\AppData\\Local\\Microsoft\\CLR_v2.0_32\\UsageLogs\\NanoCore.exe.log",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
        "C:\\Windows\\System32\\windows.storage.dll",
        "C:\\Users\\cape\\AppData\\Local\\Temp\\Wldp.dll",
        "C:\\Windows\\System32\\wldp.dll",
        "C:\\Users\\cape\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config",
        "C:\\Users\\cape\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
        "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\indexc.dat",
        "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
        "C:\\Users",
        "C:\\Users\\cape",
        "C:\\Users\\cape\\AppData",
        "C:\\Users\\cape\\AppData\\Local",
        "C:\\Users\\cape\\AppData\\Local\\Temp",
        "C:\\Windows\\System32\\bcryptPrimitives.dll",
        "\\Device\\CNG",
        "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.config",
        "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.INI",
        "C:\\Windows\\System32\\l_intl.nls",
        "C:\\Windows\\Globalization\\ru-ru.nlp",
        "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
        "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
        "C:\\Windows\\assembly\\pubpol5.dat",
        "C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
        "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI",
        "C:\\Windows\\assembly\\GAC_32\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a",
        "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a",
        "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll",
        "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.INI",
        "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI",
        "C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI",
        "C:\\Windows\\assembly\\GAC_32\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089",
        "C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089",
        "C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089\\System.Runtime.Remoting.dll",
        "C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089\\System.Runtime.Remoting.INI",
        "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.dll",
        "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.INI",
        "C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.INI",
        "C:\\Users\\cape\\AppData\\Local\\Temp\\CRYPTSP.dll",
        "C:\\Windows\\System32\\cryptsp.dll",
        "C:\\Windows\\System32\\tzres.dll",
        "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\tzres.dll.mui",
        "C:\\Windows\\System32\\ru-RU\\tzres.dll.mui",
        "C:\\Windows\\sysnative\\ru-RU\\tzres.dll.mui",
        "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll",
        "C:\\Users\\cape\\AppData\\Local\\Temp\\ServerPlugin.dll",
        "C:\\Users\\cape\\AppData\\Local\\Temp\\ServerPlugin\\ServerPlugin.dll",
        "C:\\Users\\cape\\AppData\\Local\\Temp\\ServerPlugin.exe",
        "C:\\Users\\cape\\AppData\\Local\\Temp\\ServerPlugin\\ServerPlugin.exe",
        "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\KERNELBASE.dll.mui",
        "C:\\Windows\\System32\\ru-RU\\KERNELBASE.dll.mui",
        "C:\\Windows\\sysnative\\ru-RU\\KERNELBASE.dll.mui",
        "C:\\Windows\\System32\\msctf.dll",
        "C:\\Windows\\WinSxS\\SystemResources\\gdiplus.dll.mun",
        "C:\\Users\\cape\\AppData\\Local\\Temp\\DWrite.dll",
        "C:\\Windows\\System32\\DWrite.dll",
        "C:\\Windows\\Fonts\\BAHNSCHRIFT.TTF",
        "C:\\Windows\\Fonts\\calibri.ttf",
        "C:\\Windows\\Fonts\\calibril.ttf",
        "C:\\Windows\\Fonts\\calibrii.ttf",
        "C:\\Windows\\Fonts\\CALIBRILI.TTF",
        "C:\\Windows\\Fonts\\calibrib.ttf",
        "C:\\Windows\\Fonts\\calibriz.ttf",
        "C:\\Windows\\Fonts\\cambria.ttc",
        "C:\\Windows\\Fonts\\cambriai.ttf",
        "C:\\Windows\\Fonts\\cambriab.ttf",
        "C:\\Windows\\Fonts\\cambriaz.ttf",
        "C:\\Windows\\Fonts\\Candara.ttf",
        "C:\\Windows\\Fonts\\Candaral.ttf",
        "C:\\Windows\\Fonts\\Candarai.ttf",
        "C:\\Windows\\Fonts\\CANDARALI.TTF",
        "C:\\Windows\\Fonts\\Candarab.ttf",
        "C:\\Windows\\Fonts\\Candaraz.ttf",
        "C:\\Windows\\Fonts\\comic.ttf",
        "C:\\Windows\\Fonts\\comici.ttf",
        "C:\\Windows\\Fonts\\comicbd.ttf",
        "C:\\Windows\\Fonts\\comicz.ttf",
        "C:\\Windows\\Fonts\\consola.ttf",
        "C:\\Windows\\Fonts\\consolai.ttf",
        "C:\\Windows\\Fonts\\consolab.ttf",
        "C:\\Windows\\Fonts\\consolaz.ttf",
        "C:\\Windows\\Fonts\\constan.ttf",
        "C:\\Windows\\Fonts\\constani.ttf",
        "C:\\Windows\\Fonts\\constanb.ttf",
        "C:\\Windows\\Fonts\\constanz.ttf",
        "C:\\Windows\\Fonts\\corbel.ttf",
        "C:\\Windows\\Fonts\\corbell.ttf",
        "C:\\Windows\\Fonts\\corbeli.ttf",
        "C:\\Windows\\Fonts\\corbelli.ttf",
        "C:\\Windows\\Fonts\\corbelb.ttf",
        "C:\\Windows\\Fonts\\corbelz.ttf",
        "C:\\Windows\\Fonts\\cour.ttf",
        "C:\\Windows\\Fonts\\couri.ttf",
        "C:\\Windows\\Fonts\\courbd.ttf",
        "C:\\Windows\\Fonts\\courbi.ttf",
        "C:\\Windows\\Fonts\\ebrima.ttf",
        "C:\\Windows\\Fonts\\ebrimabd.ttf",
        "C:\\Windows\\Fonts\\framd.ttf",
        "C:\\Windows\\Fonts\\framdit.ttf",
        "C:\\Windows\\Fonts\\Gabriola.ttf",
        "C:\\Windows\\Fonts\\gadugi.ttf",
        "C:\\Windows\\Fonts\\gadugib.ttf",
        "C:\\Windows\\Fonts\\georgia.ttf",
        "C:\\Windows\\Fonts\\georgiai.ttf",
        "C:\\Windows\\Fonts\\georgiab.ttf",
        "C:\\Windows\\Fonts\\georgiaz.ttf",
        "C:\\Windows\\Fonts\\impact.ttf",
        "C:\\Windows\\Fonts\\Inkfree.ttf",
        "C:\\Windows\\Fonts\\javatext.ttf",
        "C:\\Windows\\Fonts\\LeelawUI.ttf",
        "C:\\Windows\\Fonts\\LeelUIsl.ttf",
        "C:\\Windows\\Fonts\\LeelaUIb.ttf",
        "C:\\Windows\\Fonts\\lucon.ttf",
        "C:\\Windows\\Fonts\\l_10646.ttf",
        "C:\\Windows\\Fonts\\malgunsl.ttf",
        "C:\\Windows\\Fonts\\malgunbd.ttf",
        "C:\\Windows\\Fonts\\himalaya.ttf",
        "C:\\Windows\\Fonts\\msjhl.ttc",
        "C:\\Windows\\Fonts\\msjhbd.ttc",
        "C:\\Windows\\Fonts\\msjh.ttc",
        "C:\\Windows\\Fonts\\ntailu.ttf",
        "C:\\Windows\\Fonts\\ntailub.ttf",
        "C:\\Windows\\Fonts\\phagspa.ttf",
        "C:\\Windows\\Fonts\\phagspab.ttf",
        "C:\\Windows\\Fonts\\micross.ttf",
        "C:\\Windows\\Fonts\\taile.ttf",
        "C:\\Windows\\Fonts\\taileb.ttf",
        "C:\\Windows\\Fonts\\msyhl.ttc",
        "C:\\Windows\\Fonts\\msyhbd.ttc",
        "C:\\Windows\\Fonts\\msyh.ttc",
        "C:\\Windows\\Fonts\\msyi.ttf",
        "C:\\Windows\\Fonts\\mingliub.ttc",
        "C:\\Windows\\Fonts\\monbaiti.ttf",
        "C:\\Windows\\Fonts\\msgothic.ttc",
        "C:\\Windows\\Fonts\\mvboli.ttf",
        "C:\\Windows\\Fonts\\mmrtext.ttf",
        "C:\\Windows\\Fonts\\mmrtextb.ttf",
        "C:\\Windows\\Fonts\\Nirmala.ttf",
        "C:\\Windows\\Fonts\\NirmalaS.ttf",
        "C:\\Windows\\Fonts\\NirmalaB.ttf",
        "C:\\Windows\\Fonts\\pala.ttf",
        "C:\\Windows\\Fonts\\palai.ttf",
        "C:\\Windows\\Fonts\\palab.ttf",
        "C:\\Windows\\Fonts\\palabi.ttf",
        "C:\\Windows\\Fonts\\segoepr.ttf",
        "C:\\Windows\\Fonts\\segoeprb.ttf",
        "C:\\Windows\\Fonts\\segoesc.ttf",
        "C:\\Windows\\Fonts\\segoescb.ttf",
        "C:\\Windows\\Fonts\\seguiemj.ttf",
        "C:\\Windows\\Fonts\\seguihis.ttf",
        "C:\\Windows\\Fonts\\seguisym.ttf",
        "C:\\Windows\\Fonts\\simsun.ttc",
        "C:\\Windows\\Fonts\\simsunb.ttf",
        "C:\\Windows\\Fonts\\Sitka.ttc",
        "C:\\Windows\\Fonts\\SitkaI.ttc",
        "C:\\Windows\\Fonts\\SitkaB.ttc",
        "C:\\Windows\\Fonts\\SitkaZ.ttc",
        "C:\\Windows\\Fonts\\sylfaen.ttf",
        "C:\\Windows\\Fonts\\symbol.ttf",
        "C:\\Windows\\Fonts\\tahoma.ttf",
        "C:\\Windows\\Fonts\\tahomabd.ttf",
        "C:\\Windows\\Fonts\\trebuc.ttf",
        "C:\\Windows\\Fonts\\trebucit.ttf",
        "C:\\Windows\\Fonts\\trebucbd.ttf",
        "C:\\Windows\\Fonts\\trebucbi.ttf",
        "C:\\Windows\\Fonts\\verdana.ttf",
        "C:\\Windows\\Fonts\\verdanai.ttf",
        "C:\\Windows\\Fonts\\verdanab.ttf",
        "C:\\Windows\\Fonts\\verdanaz.ttf",
        "C:\\Windows\\Fonts\\webdings.ttf",
        "C:\\Windows\\Fonts\\wingding.ttf",
        "C:\\Windows\\Fonts\\YuGothM.ttc",
        "C:\\Windows\\Fonts\\YuGothL.ttc",
        "C:\\Windows\\Fonts\\YuGothB.ttc",
        "C:\\Windows\\Fonts\\YuGothR.ttc",
        "C:\\Windows\\Fonts\\holomdl2.ttf",
        "C:\\Windows\\Fonts\\ALEF-REGULAR.TTF",
        "C:\\Windows\\Fonts\\ALEF-BOLD.TTF",
        "C:\\Windows\\Fonts\\DAVIDCLM-MEDIUM.OTF",
        "C:\\Windows\\Fonts\\DAVIDCLM-MEDIUMITALIC.OTF",
        "C:\\Windows\\Fonts\\DAVIDCLM-BOLD.OTF",
        "C:\\Windows\\Fonts\\DAVIDCLM-BOLDITALIC.OTF",
        "C:\\Windows\\Fonts\\LIBERATIONMONO-REGULAR.TTF",
        "C:\\Windows\\Fonts\\LIBERATIONMONO-ITALIC.TTF",
        "C:\\Windows\\Fonts\\LIBERATIONMONO-BOLD.TTF",
        "C:\\Windows\\Fonts\\LIBERATIONMONO-BOLDITALIC.TTF",
        "C:\\Windows\\Fonts\\NOTONASKHARABIC-REGULAR.TTF",
        "C:\\Windows\\Fonts\\NOTONASKHARABIC-BOLD.TTF",
        "C:\\Windows\\Fonts\\CALADEA-REGULAR.TTF",
        "C:\\Windows\\Fonts\\CALADEA-ITALIC.TTF",
        "C:\\Windows\\Fonts\\CALADEA-BOLD.TTF",
        "C:\\Windows\\Fonts\\CALADEA-BOLDITALIC.TTF",
        "C:\\Windows\\Fonts\\ReemKufi.ttf",
        "C:\\Windows\\Fonts\\NOTOSANS-REGULAR.TTF",
        "C:\\Windows\\Fonts\\NOTOSANS-ITALIC.TTF",
        "C:\\Windows\\Fonts\\NOTOSANS-BOLD.TTF",
        "C:\\Windows\\Fonts\\NOTOSANS-BOLDITALIC.TTF",
        "C:\\Windows\\Fonts\\NOTOSERIFGEORGIAN-REGULAR.TTF",
        "C:\\Windows\\Fonts\\NOTOSERIFGEORGIAN-BOLD.TTF",
        "C:\\Windows\\Fonts\\AMIRI-REGULAR.TTF",
        "C:\\Windows\\Fonts\\AMIRI-ITALIC.TTF",
        "C:\\Windows\\Fonts\\AMIRI-BOLD.TTF",
        "C:\\Windows\\Fonts\\AMIRI-BOLDITALIC.TTF",
        "C:\\Windows\\Fonts\\LIBERATIONSANS-REGULAR.TTF",
        "C:\\Windows\\Fonts\\LIBERATIONSANS-ITALIC.TTF",
        "C:\\Windows\\Fonts\\LIBERATIONSANS-BOLD.TTF",
        "C:\\Windows\\Fonts\\LIBERATIONSANS-BOLDITALIC.TTF",
        "C:\\Windows\\Fonts\\LIBERATIONSANSNARROW-REGULAR.TTF",
        "C:\\Windows\\Fonts\\LIBERATIONSANSNARROW-ITALIC.TTF",
        "C:\\Windows\\Fonts\\LIBERATIONSANSNARROW-BOLD.TTF",
        "C:\\Windows\\Fonts\\LIBERATIONSANSNARROW-BOLDITALIC.TTF",
        "C:\\Windows\\Fonts\\NOTOKUFIARABIC-REGULAR.TTF",
        "C:\\Windows\\Fonts\\NOTOKUFIARABIC-BOLD.TTF",
        "C:\\Windows\\Fonts\\NOTOSANSARMENIAN-REGULAR.TTF",
        "C:\\Windows\\Fonts\\NOTOSANSARMENIAN-BOLD.TTF",
        "C:\\Windows\\Fonts\\NOTOSANSHEBREW-REGULAR.TTF",
        "C:\\Windows\\Fonts\\NOTOSANSHEBREW-BOLD.TTF",
        "C:\\Windows\\Fonts\\DEJAVUMATHTEXGYRE.TTF",
        "C:\\Windows\\Fonts\\opens___.ttf",
        "C:\\Windows\\Fonts\\DAVIDLIBRE-REGULAR.TTF",
        "C:\\Windows\\Fonts\\DAVIDLIBRE-BOLD.TTF",
        "C:\\Windows\\Fonts\\GenBasR.ttf",
        "C:\\Windows\\Fonts\\GenBasI.ttf",
        "C:\\Windows\\Fonts\\GenBasB.ttf",
        "C:\\Windows\\Fonts\\GenBasBI.ttf",
        "C:\\Windows\\Fonts\\NOTOSERIFLAO-REGULAR.TTF",
        "C:\\Windows\\Fonts\\NOTOSERIFLAO-BOLD.TTF",
        "C:\\Windows\\Fonts\\NOTOSERIFARMENIAN-REGULAR.TTF",
        "C:\\Windows\\Fonts\\NOTOSERIFARMENIAN-BOLD.TTF",
        "C:\\Windows\\Fonts\\NOTOSANSARABIC-REGULAR.TTF",
        "C:\\Windows\\Fonts\\NOTOSANSARABIC-BOLD.TTF",
        "C:\\Windows\\Fonts\\NOTOSANSGEORGIAN-REGULAR.TTF",
        "C:\\Windows\\Fonts\\NOTOSANSGEORGIAN-BOLD.TTF",
        "C:\\Windows\\Fonts\\NOTOSANSLAO-REGULAR.TTF",
        "C:\\Windows\\Fonts\\NOTOSANSLAO-BOLD.TTF",
        "C:\\Windows\\Fonts\\NOTOSERIFHEBREW-REGULAR.TTF",
        "C:\\Windows\\Fonts\\NOTOSERIFHEBREW-BOLD.TTF",
        "C:\\Windows\\Fonts\\LINBIOLINUM_R_G.TTF",
        "C:\\Windows\\Fonts\\LINBIOLINUM_RI_G.TTF",
        "C:\\Windows\\Fonts\\LINBIOLINUM_RB_G.TTF",
        "C:\\Windows\\Fonts\\CARLITO-REGULAR.TTF",
        "C:\\Windows\\Fonts\\CARLITO-ITALIC.TTF",
        "C:\\Windows\\Fonts\\CARLITO-BOLD.TTF",
        "C:\\Windows\\Fonts\\CARLITO-BOLDITALIC.TTF",
        "C:\\Windows\\Fonts\\NOTOSANSLISU-REGULAR.TTF",
        "C:\\Windows\\Fonts\\NOTOSANSLISU-BOLD.TTF",
        "C:\\Windows\\Fonts\\SCHEHERAZADE-REGULAR.TTF",
        "C:\\Windows\\Fonts\\SCHEHERAZADE-BOLD.TTF",
        "C:\\Windows\\Fonts\\NOTOSERIF-REGULAR.TTF",
        "C:\\Windows\\Fonts\\NOTOSERIF-ITALIC.TTF",
        "C:\\Windows\\Fonts\\NOTOSERIF-BOLD.TTF",
        "C:\\Windows\\Fonts\\NOTOSERIF-BOLDITALIC.TTF",
        "C:\\Windows\\Fonts\\AMIRIQURAN.TTF",
        "C:\\Windows\\Fonts\\FRANKRUEHLCLM-MEDIUM.OTF",
        "C:\\Windows\\Fonts\\FRANKRUEHLCLM-MEDIUMOBLIQUE.OTF",
        "C:\\Windows\\Fonts\\FRANKRUEHLCLM-BOLD.OTF",
        "C:\\Windows\\Fonts\\FRANKRUEHLCLM-BOLDOBLIQUE.OTF",
        "C:\\Windows\\Fonts\\MIRIAMCLM-BOOK.OTF",
        "C:\\Windows\\Fonts\\MIRIAMCLM-BOLD.OTF",
        "C:\\Windows\\Fonts\\MIRIAMMONOCLM-BOOK.TTF",
        "C:\\Windows\\Fonts\\MIRIAMMONOCLM-BOOKOBLIQUE.TTF",
        "C:\\Windows\\Fonts\\MIRIAMMONOCLM-BOLD.TTF",
        "C:\\Windows\\Fonts\\MIRIAMMONOCLM-BOLDOBLIQUE.TTF",
        "C:\\Windows\\Fonts\\NACHLIELICLM-LIGHT.OTF",
        "C:\\Windows\\Fonts\\NACHLIELICLM-LIGHTOBLIQUE.OTF",
        "C:\\Windows\\Fonts\\NACHLIELICLM-BOLD.OTF",
        "C:\\Windows\\Fonts\\NACHLIELICLM-BOLDOBLIQUE.OTF",
        "C:\\Windows\\Fonts\\DEJAVUSANS.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSANS-OBLIQUE.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSANS-EXTRALIGHT.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSANSCONDENSED.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSANSCONDENSED-OBLIQUE.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSANS-BOLD.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSANS-BOLDOBLIQUE.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSANSCONDENSED-BOLD.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSANSCONDENSED-BOLDOBLIQUE.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSANSMONO.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSANSMONO-OBLIQUE.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSANSMONO-BOLD.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSANSMONO-BOLDOBLIQUE.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSERIF.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSERIFCONDENSED.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSERIF-ITALIC.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSERIF-BOLD.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSERIFCONDENSED-ITALIC.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSERIFCONDENSED-BOLD.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSERIF-BOLDITALIC.TTF",
        "C:\\Windows\\Fonts\\DEJAVUSERIFCONDENSED-BOLDITALIC.TTF",
        "C:\\Windows\\Fonts\\GENBKBASR.TTF",
        "C:\\Windows\\Fonts\\GENBKBASI.TTF",
        "C:\\Windows\\Fonts\\GENBKBASB.TTF",
        "C:\\Windows\\Fonts\\GENBKBASBI.TTF",
        "C:\\Windows\\Fonts\\LIBERATIONSERIF-REGULAR.TTF",
        "C:\\Windows\\Fonts\\LIBERATIONSERIF-ITALIC.TTF",
        "C:\\Windows\\Fonts\\LIBERATIONSERIF-BOLD.TTF",
        "C:\\Windows\\Fonts\\LIBERATIONSERIF-BOLDITALIC.TTF",
        "C:\\Windows\\Fonts\\LINLIBERTINE_DR_G.TTF",
        "C:\\Windows\\Fonts\\LINLIBERTINE_R_G.TTF",
        "C:\\Windows\\Fonts\\LINLIBERTINE_RZ_G.TTF",
        "C:\\Windows\\Fonts\\LINLIBERTINE_RI_G.TTF",
        "C:\\Windows\\Fonts\\LINLIBERTINE_RB_G.TTF",
        "C:\\Windows\\Fonts\\LINLIBERTINE_RZI_G.TTF",
        "C:\\Windows\\Fonts\\LINLIBERTINE_RBI_G.TTF",
        "C:\\Windows\\Fonts\\FRANKRUHLHOFSHI-REGULAR.OTF",
        "C:\\Windows\\Fonts\\FRANKRUHLHOFSHI-BOLD.OTF",
        "C:\\Windows\\Fonts\\MIRIAMLIBRE-REGULAR.OTF",
        "C:\\Windows\\Fonts\\MIRIAMLIBRE-BOLD.OTF",
        "C:\\Windows\\Fonts\\RUBIK-REGULAR.TTF",
        "C:\\Windows\\Fonts\\RUBIK-ITALIC.TTF",
        "C:\\Windows\\Fonts\\RUBIK-BOLD.TTF",
        "C:\\Windows\\Fonts\\RUBIK-BOLDITALIC.TTF",
        "C:\\Windows\\Fonts\\marlett.ttf",
        "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\USER32.dll.mui",
        "C:\\Windows\\System32\\textinputframework.dll",
        "C:\\Windows\\System32\\CoreUIComponents.dll",
        "C:\\Windows\\System32\\CoreMessaging.dll",
        "C:\\Windows\\System32\\ntmarta.dll",
        "C:\\Windows\\System32\\WinTypes.dll",
        "C:\\Windows\\SystemResources\\USER32.dll.mun",
        "C:\\Windows\\Fonts\\staticcache.dat",
        "C:\\Windows\\Globalization\\en-us.nlp",
        "C:\\Windows\\assembly\\GAC_32\\mscorlib.resources\\2.0.0.0_ru-RU_b77a5c561934e089",
        "C:\\Windows\\assembly\\GAC_MSIL\\mscorlib.resources\\2.0.0.0_ru-RU_b77a5c561934e089",
        "C:\\Windows\\assembly\\GAC\\mscorlib.resources\\2.0.0.0_ru-RU_b77a5c561934e089",
        "C:\\Users\\cape\\AppData\\Local\\Temp\\ru-RU\\mscorlib.resources.dll",
        "C:\\Users\\cape\\AppData\\Local\\Temp\\ru-RU\\mscorlib.resources\\mscorlib.resources.dll",
        "C:\\Users\\cape\\AppData\\Local\\Temp\\ru-RU\\mscorlib.resources.exe",
        "C:\\Users\\cape\\AppData\\Local\\Temp\\ru-RU\\mscorlib.resources\\mscorlib.resources.exe",
        "C:\\Windows\\Globalization\\ru.nlp",
        "C:\\Windows\\assembly\\GAC_32\\mscorlib.resources\\2.0.0.0_ru_b77a5c561934e089",
        "C:\\Windows\\assembly\\GAC_MSIL\\mscorlib.resources\\2.0.0.0_ru_b77a5c561934e089",
        "C:\\Windows\\assembly\\GAC_MSIL\\mscorlib.resources\\2.0.0.0_ru_b77a5c561934e089\\mscorlib.resources.dll",
        "C:\\Users\\cape\\AppData\\Local\\Temp\\TextShaping.dll",
        "C:\\Windows\\System32\\TextShaping.dll",
        "C:\\Windows\\assembly\\GAC_MSIL\\mscorlib.resources\\2.0.0.0_ru_b77a5c561934e089\\mscorlib.resources.INI",
        "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.PDB",
        "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll",
        "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.pdb",
        "C:\\Windows\\symbols\\dll\\mscorlib.pdb",
        "C:\\Windows\\dll\\mscorlib.pdb",
        "C:\\Windows\\mscorlib.pdb",
        "\\Device\\IPT",
        "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\wer.dll.mui",
        "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
        "C:\\Windows\\System32\\aepic.dll",
        "C:\\Windows\\AppCompat\\Programs\\Amcache.hve.tmp",
        "C:\\Windows\\AppCompat\\Programs\\Amcache.hve",
        "C:\\Windows\\WinSxS\\FileMaps\\users_cape_appdata_local_temp_4cb87852de49944d.cdf-ms",
        "\\Device\\DeviceApi\\CMApi",
        "C:",
        "\\??\\PhysicalDrive0",
        "C:\\ProgramData\\Microsoft\\Windows\\WER",
        "\\??\\MountPointManager",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp",
        "C:\\ProgramData\\Microsoft\\Windows",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\acd29d50-6f1f-474a-a042-5278ee2cd631",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\3ce30f3c-ebfc-46de-8063-7e0038df70e1",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\94192d6b-e709-417d-93f9-f5879b5af313",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\4225bbd8-56a8-4c70-a672-42afd4aae78e",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Wldp.dll",
        "C:\\Windows\\System32\\kernel.appcore.dll",
        "C:\\Windows\\System32\\wer.dll.3.Manifest",
        "C:\\Windows\\System32\\phoneinfo.dll",
        "C:\\Windows\\System32\\drivers\\*.mrk",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\NETAPI32.dll",
        "C:\\Windows\\System32\\netapi32.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\DSREG.DLL",
        "C:\\Windows\\System32\\dsreg.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\msvcp110_win.dll",
        "C:\\Windows\\System32\\msvcp110_win.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\profapi.dll",
        "C:\\Windows\\System32\\profapi.dll",
        "C:\\Users\\cape\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead",
        "C:\\Users\\cape\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*",
        "C:\\Users\\cape\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*",
        "C:\\Users\\cape\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\XmlLite.dll",
        "C:\\Windows\\System32\\xmllite.dll",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER3535.tmp.csv",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER35C3.tmp.txt"
      ],
      "read_files": [],
      "write_files": [
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\acd29d50-6f1f-474a-a042-5278ee2cd631",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\3ce30f3c-ebfc-46de-8063-7e0038df70e1",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\94192d6b-e709-417d-93f9-f5879b5af313",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\4225bbd8-56a8-4c70-a672-42afd4aae78e",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml"
      ],
      "delete_files": [
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER3535.tmp.csv",
        "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER35C3.tmp.txt"
      ],
      "keys": [
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\v4.0",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\UseLegacyV2RuntimeActivationPolicyDefaultValue",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
        "Policy\\Standards",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\standards\\v2.0.50727",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Fusion\\NoClientChecks",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\GCStressStart",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\AppPatch",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\AppPatch\\v4.0.30319.00000",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\AppPatch\\v4.0.30319.00000\\mscorwks.dll",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\NanoCore.exe",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\NGen\\Policy\\v2.0",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\NGen\\Policy\\v2.0\\OptimizeUsedBinaries",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\indexc",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\indexc\\NIUsageMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\indexc\\ILUsageMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\MVID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\ILDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\LastModTime",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration",
        "HKEY_CURRENT_USER",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\67ab48b3\\5693386e",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index5",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\MVID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\ILDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\MVID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\ILDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\MVID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\ILDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Remoting__b77a5c561934e089",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\MVID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\ILDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\Library",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\IsMultiInstance",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\First Counter",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\CategoryOptions",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\FileMappingSize",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\Counter Names",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2b26c876\\18ded0b4",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-3749840076-4109591986-3192690632-1000\\Installer\\Assemblies\\C:|Users|cape|AppData|Local|Temp|NanoCore.exe",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cape|AppData|Local|Temp|NanoCore.exe",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cape|AppData|Local|Temp|NanoCore.exe",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-3749840076-4109591986-3192690632-1000\\Installer\\Assemblies\\Global",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
        "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
        "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
        "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectWrite",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\FontCache\\Parameters",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\FontCache\\Parameters\\ClientCacheSize",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Avalon.Graphics",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ca-ES",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ca-ES",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\cs-CZ",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\cs-CZ",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\da-DK",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\da-DK",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\de-DE",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\de-DE",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\el-GR",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\el-GR",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\es-ES_tradnl",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\es-ES_tradnl",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\fi-FI",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\fi-FI",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\fr-FR",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\fr-FR",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\hu-HU",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\hu-HU",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\it-IT",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\it-IT",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\nl-NL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\nl-NL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\nb-NO",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\nb-NO",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\pl-PL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\pl-PL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\pt-BR",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\pt-BR",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\sk-SK",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\sk-SK",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\sv-SE",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\sv-SE",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\tr-TR",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\tr-TR",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\sl-SI",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\sl-SI",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\eu-ES",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\eu-ES",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\es-MX",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\es-MX",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\pt-PT",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\pt-PT",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\es-ES",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\es-ES",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\fr-CA",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\fr-CA",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\vi-VN",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\vi-VN",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ko-kr",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ko-kr",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\zh-hk",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\zh-hk",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\zh-tw",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\zh-tw",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\zh-cn",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\zh-cn",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ja-jp",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ja-jp",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\zh-sg",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\zh-sg",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\he-IL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\he-IL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink",
        "HKEY_CURRENT_USER\\EUDC\\1251",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
        "HKEY_CURRENT_USER\\Software\\Classes",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A26CEC36-234C-4950-AE16-E34AACE71D0D}",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{A26CEC36-234C-4950-AE16-E34AACE71D0D}",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{7693E886-51C9-4070-8419-9F70738EC8FA}",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{7693E886-51C9-4070-8419-9F70738EC8FA}",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{72B624DF-AE11-4948-A65C-351EB0829419}",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{72B624DF-AE11-4948-A65C-351EB0829419}",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{01B90D9A-8209-47F7-9C52-E1244BF50CED}",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{01B90D9A-8209-47F7-9C52-E1244BF50CED}",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{7F12E753-FC71-43D7-A51D-92F35977ABB5}",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{7F12E753-FC71-43D7-A51D-92F35977ABB5}",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AA94DCC2-B8B0-4898-B835-000AABD74393}",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{AA94DCC2-B8B0-4898-B835-000AABD74393}",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{076C2A6C-F78F-4C46-A723-3583E70876EA}",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{076C2A6C-F78F-4C46-A723-3583E70876EA}",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance",
        "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled",
        "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\NanoCore.exe",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\CTF\\EnableAnchorContext",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.mscorlib.resources_ru-RU_b77a5c561934e089",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5e8c75c\\de7da15",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.mscorlib.resources_ru_b77a5c561934e089",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5e8c75c\\2f231edf",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Verdana",
        "HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
        "HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\AlwaysReadHKCRForCLSIDs",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\LogFlags",
        "HKEY_LOCAL_MACHINE\\OSDATA\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\CommercialDataOptIn",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiOverridePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiHivePermissionsCorrect",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiHiveOwnerCorrect",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\WritePermissionsCheck",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\PermissionsCheckTestKey",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\ProviderVersion",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1",
        "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\setup\\PnpLockdownFiles",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\PnpLockdownFiles\\%SystemDrive%/users/cape/appdata/local/temp/nanocore.exe",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\ProviderSyncId",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\ProgramId",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\FileId",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\LowerCaseLongPath",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\LongPathHash",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Name",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\OriginalFileName",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Publisher",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Version",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\BinFileVersion",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\BinaryType",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\ProductName",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\ProductVersion",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\LinkDate",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\BinProductVersion",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\AppxPackageFullName",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\AppxPackageRelativeId",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Size",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Language",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Usn",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\SysprepLock",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineID",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\NewUserDefaultConsent",
        "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\CLR20r3",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BrokerUp",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BrokerUp\\CLR20r3",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
        "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BrokerUp",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Source",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\User",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\StorePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload",
        "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNT",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Ubr",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UBR",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildBranch",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Category",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\ParentFolder",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Description",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\RelativePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\ParsingName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\InfoTip",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\LocalizedName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Icon",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Security",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\StreamResource",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\StreamResourceType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\LocalRedirectOnly",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Roamable",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\PreCreate",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Stream",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\PublishExpandedPath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\DefinitionFlags",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Attributes",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\FolderTypeID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\InitFolderHandler",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\PropertyBag",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Cache",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru-RU",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\Platform\\DeviceTargetingInfo",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemInformation",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\InstallDate",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsUpdate\\Orchestrator\\Installation\\Target",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Shell\\OOBE",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\OOBE\\Stats",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\Stats\\EndTimeStamp",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DAM\\PowerEvents",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\State",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ContainerType",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ContainerId",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelemetryClient\\Debug",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagLevel",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagMatchAnyMask",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\#16",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\Ldap",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllOpenStoreProv",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\My\\PhysicalStores",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\My",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\MY\\",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\MY\\Certificates",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\MY\\CRLs",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\MY\\CTLs",
        "HKEY_USERS",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\SystemCertificates\\My\\PhysicalStores",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\SystemCertificates\\My",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000\\ProfileImagePath",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\SystemCertificates\\MY\\",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\SystemCertificates\\MY\\Certificates",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\SystemCertificates\\MY\\CRLs",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\SystemCertificates\\MY\\CTLs",
        "HKEY_CURRENT_USER\\Control Panel\\International\\Geo",
        "HKEY_CURRENT_USER\\Control Panel\\International\\Geo\\Nation",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\608",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\TelemetryProtocolServerRoles",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\9292",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\svcVersion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\svcUpdateVersion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\9197",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\35",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12729",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12730",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12736",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12737",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12675",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12676",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12677",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12678",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Flighting\\Build",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Flighting\\Build\\UpdateID",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsRuntime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivationType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\Server",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\DllPath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\Threading",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\TrustLevel",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\CustomAttributes",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\RemoteServer",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivateAsUser",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivateInSharedBroker",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivateInBrokerForMediumILContainer",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\Permissions",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivateOnHostFlags",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\Diagnosis",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SharedPC",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SharedPC\\EduSharedPCMode",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\8073",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\OEM",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\OEM\\DeviceForm",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Product",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\10433",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\31",
        "HKEY_LOCAL_MACHINE\\Hardware\\Description\\System\\CentralProcessor\\0",
        "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\~MHz",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\4573",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\4572",
        "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\4575",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\9290",
        "HKEY_LOCAL_MACHINE\\Hardware\\Description\\System\\BIOS",
        "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemSKU",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SystemInformation",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\ComputerHardwareId",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12728",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineId",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC\\RacSampleNumber",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelemetryClient\\OEMInfo",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\CorporateSQMURL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\CommercialId",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\CommercialId",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\XboxLive",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12674",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\_Groups\\UTCPartnerPrograms",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\_Groups\\UTCPartnerPrograms\\System",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\PolicyType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\Behavior",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\MergeAlgorithm",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\RegKeyPathRedirectMapped",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\RegKeyPathRedirect",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicyname",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicypath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicyismultisz",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicymultiszSeparatorChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\ADMXMetadataUser",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\ADMXMetadataDevice",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\ADMXMetadataBoth",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\30Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowCommercialDataPipeline",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\PolicyType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\Behavior",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\MergeAlgorithm",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\RegKeyPathRedirectMapped",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\RegKeyPathRedirect",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicyname",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicypath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicyismultisz",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicymultiszSeparatorChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\ADMXMetadataUser",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\ADMXMetadataDevice",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\ADMXMetadataBoth",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\30Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowDesktopAnalyticsProcessing",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\PolicyType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\Behavior",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\MergeAlgorithm",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\RegKeyPathRedirectMapped",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\RegKeyPathRedirect",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\grouppolicyname",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\ADMXMetadataUser",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\ADMXMetadataDevice",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\ADMXMetadataBoth",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\30Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\Value",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\PolicyType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\Behavior",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\MergeAlgorithm",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\RegKeyPathRedirectMapped",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\RegKeyPathRedirect",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicyname",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicypath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicyismultisz",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicymultiszSeparatorChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\ADMXMetadataUser",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\ADMXMetadataDevice",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\ADMXMetadataBoth",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\30Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowUpdateComplianceProcessing",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\PolicyType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\Behavior",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\MergeAlgorithm",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\RegKeyPathRedirectMapped",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\RegKeyPathRedirect",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicyname",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicypath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicyismultisz",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicymultiszSeparatorChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\ADMXMetadataUser",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\ADMXMetadataDevice",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\ADMXMetadataBoth",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\30Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowWUfBCloudProcessing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceNativeDump",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\NanoCore.exe",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir (x86)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\Public",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck"
      ],
      "read_keys": [
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\UseLegacyV2RuntimeActivationPolicyDefaultValue",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Fusion\\NoClientChecks",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\GCStressStart",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\NGen\\Policy\\v2.0\\OptimizeUsedBinaries",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\indexc\\NIUsageMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\indexc\\ILUsageMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\MVID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\ILDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index5",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\MVID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\ILDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\MVID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\ILDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\MVID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\ILDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\MVID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\ILDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\Library",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\IsMultiInstance",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\First Counter",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\CategoryOptions",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\FileMappingSize",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\Counter Names",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\FontCache\\Parameters\\ClientCacheSize",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ca-ES",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ca-ES",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\cs-CZ",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\cs-CZ",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\da-DK",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\da-DK",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\de-DE",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\de-DE",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\el-GR",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\el-GR",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\es-ES_tradnl",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\es-ES_tradnl",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\fi-FI",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\fi-FI",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\fr-FR",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\fr-FR",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\hu-HU",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\hu-HU",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\it-IT",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\it-IT",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\nl-NL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\nl-NL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\nb-NO",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\nb-NO",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\pl-PL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\pl-PL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\pt-BR",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\pt-BR",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\sk-SK",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\sk-SK",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\sv-SE",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\sv-SE",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\tr-TR",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\tr-TR",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\sl-SI",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\sl-SI",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\eu-ES",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\eu-ES",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\es-MX",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\es-MX",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\pt-PT",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\pt-PT",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\es-ES",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\es-ES",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\fr-CA",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\fr-CA",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\vi-VN",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\vi-VN",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ko-kr",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ko-kr",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\zh-hk",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\zh-hk",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\zh-tw",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\zh-tw",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\zh-cn",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\zh-cn",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ja-jp",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ja-jp",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\zh-sg",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\zh-sg",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\he-IL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\he-IL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\CTF\\EnableAnchorContext",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\AlwaysReadHKCRForCLSIDs",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\LogFlags",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\CommercialDataOptIn",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiOverridePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiHivePermissionsCorrect",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiHiveOwnerCorrect",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\ProviderVersion",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\ProviderSyncId",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineID",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\NewUserDefaultConsent",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\CLR20r3",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BrokerUp\\CLR20r3",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Source",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\User",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\StorePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Ubr",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UBR",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildBranch",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Category",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\ParentFolder",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Description",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\RelativePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\ParsingName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\InfoTip",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\LocalizedName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Icon",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Security",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\StreamResource",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\StreamResourceType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\LocalRedirectOnly",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Roamable",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\PreCreate",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Stream",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\PublishExpandedPath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\DefinitionFlags",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Attributes",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\FolderTypeID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\InitFolderHandler",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Cache",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru-RU",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\InstallDate",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\Stats\\EndTimeStamp",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ContainerType",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ContainerId",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagLevel",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagMatchAnyMask",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000\\ProfileImagePath",
        "HKEY_CURRENT_USER\\Control Panel\\International\\Geo\\Nation",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\608",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\TelemetryProtocolServerRoles",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\9292",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\svcVersion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\svcUpdateVersion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\9197",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\35",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12729",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12730",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12736",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12737",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12675",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12676",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12677",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12678",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Flighting\\Build\\UpdateID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivationType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\Server",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\DllPath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\Threading",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\TrustLevel",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\RemoteServer",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivateAsUser",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivateInSharedBroker",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivateInBrokerForMediumILContainer",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\Permissions",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivateOnHostFlags",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SharedPC\\EduSharedPCMode",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\8073",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\OEM\\DeviceForm",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\10433",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\31",
        "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\~MHz",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\4573",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\4572",
        "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\4575",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\9290",
        "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemSKU",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\ComputerHardwareId",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12728",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineId",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC\\RacSampleNumber",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\CorporateSQMURL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\CommercialId",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\CommercialId",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12674",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\PolicyType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\Behavior",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\MergeAlgorithm",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\RegKeyPathRedirectMapped",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\RegKeyPathRedirect",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicyname",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicypath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicyismultisz",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicymultiszSeparatorChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\ADMXMetadataUser",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\ADMXMetadataDevice",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\ADMXMetadataBoth",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\30Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowCommercialDataPipeline",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\PolicyType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\Behavior",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\MergeAlgorithm",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\RegKeyPathRedirectMapped",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\RegKeyPathRedirect",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicyname",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicypath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicyismultisz",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicymultiszSeparatorChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\ADMXMetadataUser",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\ADMXMetadataDevice",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\ADMXMetadataBoth",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\30Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowDesktopAnalyticsProcessing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\PolicyType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\Behavior",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\MergeAlgorithm",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\RegKeyPathRedirectMapped",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\RegKeyPathRedirect",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\grouppolicyname",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\ADMXMetadataUser",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\ADMXMetadataDevice",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\ADMXMetadataBoth",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\30Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\PolicyType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\Behavior",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\MergeAlgorithm",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\RegKeyPathRedirectMapped",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\RegKeyPathRedirect",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicyname",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicypath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicyismultisz",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicymultiszSeparatorChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\ADMXMetadataUser",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\ADMXMetadataDevice",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\ADMXMetadataBoth",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\30Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowUpdateComplianceProcessing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\PolicyType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\Behavior",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\MergeAlgorithm",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\RegKeyPathRedirectMapped",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\RegKeyPathRedirect",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicyname",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicypath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicyismultisz",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicymultiszSeparatorChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\ADMXMetadataUser",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\ADMXMetadataDevice",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\ADMXMetadataBoth",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\30Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\Value",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowWUfBCloudProcessing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceNativeDump",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir (x86)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\Public",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck"
      ],
      "write_keys": [
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\WritePermissionsCheck",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\PermissionsCheckTestKey",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\ProgramId",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\FileId",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\LowerCaseLongPath",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\LongPathHash",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Name",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\OriginalFileName",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Publisher",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Version",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\BinFileVersion",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\BinaryType",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\ProductName",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\ProductVersion",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\LinkDate",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\BinProductVersion",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\AppxPackageFullName",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\AppxPackageRelativeId",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Size",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Language",
        "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\nanocore.exe|3a2172e6e43654d1\\Usn"
      ],
      "delete_keys": [
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiOverridePath"
      ],
      "executed_commands": [
        "dw20.exe -x -s 1208"
      ],
      "resolved_apis": [],
      "mutexes": [
        "Local\\SM0:7684:168:WilStaging_02",
        "Global\\CLR_CASOFF_MUTEX",
        "Global\\.net clr networking",
        "Local\\MSCTF.Asm.MutexDefault1",
        "CicLoadWinStaWinSta0",
        "Local\\MSCTF.CtfMonitorInstMutexDefault1",
        "Global\\AmiProviderMutex_InventoryApplicationFile",
        "Global\\64f40b16-8815-4ee8-8a70-3b6c64161d57",
        "Local\\SM0:3832:168:WilStaging_02"
      ],
      "created_services": [],
      "started_services": []
    },
    "enhanced": [
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:51,580",
        "eid": 1,
        "data": {
          "file": "ADVAPI32.dll",
          "pathtofile": null,
          "moduleaddress": "0x76ea0000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 19:59:51,580",
        "eid": 2,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 19:59:51,580",
        "eid": 3,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot",
          "content": "C:\\Windows\\Microsoft.NET\\Framework\\"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 19:59:51,643",
        "eid": 4,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 19:59:51,643",
        "eid": 5,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot",
          "content": "C:\\Windows\\Microsoft.NET\\Framework\\"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 19:59:51,658",
        "eid": 6,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 19:59:51,658",
        "eid": 7,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot",
          "content": "C:\\Windows\\Microsoft.NET\\Framework\\"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:51,658",
        "eid": 8,
        "data": {
          "file": "api-ms-win-core-synch-l1-2-0",
          "pathtofile": null,
          "moduleaddress": "0x77150000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:51,658",
        "eid": 9,
        "data": {
          "file": "api-ms-win-core-fibers-l1-1-1",
          "pathtofile": null,
          "moduleaddress": "0x77150000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:51,658",
        "eid": 10,
        "data": {
          "file": "api-ms-win-core-synch-l1-2-0",
          "pathtofile": null,
          "moduleaddress": "0x77150000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:51,658",
        "eid": 11,
        "data": {
          "file": "api-ms-win-core-fibers-l1-1-1",
          "pathtofile": null,
          "moduleaddress": "0x77150000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:51,658",
        "eid": 12,
        "data": {
          "file": "api-ms-win-core-localization-l1-2-1",
          "pathtofile": null,
          "moduleaddress": "0x77150000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:51,658",
        "eid": 13,
        "data": {
          "file": "ADVAPI32.dll",
          "pathtofile": null,
          "moduleaddress": "0x76ea0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:51,658",
        "eid": 14,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll",
          "pathtofile": null,
          "moduleaddress": "0x73e10000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:51,658",
        "eid": 15,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 19:59:51,658",
        "eid": 16,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 19:59:51,658",
        "eid": 17,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\InstallRoot",
          "content": "C:\\Windows\\Microsoft.NET\\Framework\\"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:52,096",
        "eid": 18,
        "data": {
          "file": "SHLWAPI.dll",
          "pathtofile": null,
          "moduleaddress": "0x76f20000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 19:59:52,096",
        "eid": 19,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\UseLegacyV2RuntimeActivationPolicyDefaultValue",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 19:59:52,096",
        "eid": 20,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:52,611",
        "eid": 21,
        "data": {
          "file": "api-ms-win-appmodel-runtime-l1-1-2.dll",
          "pathtofile": null,
          "moduleaddress": "0x75250000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:52,611",
        "eid": 22,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 19:59:52,611",
        "eid": 23,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Fusion\\NoClientChecks",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:52,611",
        "eid": 24,
        "data": {
          "file": "VERSION.dll",
          "pathtofile": null,
          "moduleaddress": "0x75460000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:59,564",
        "eid": 25,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:59,564",
        "eid": 26,
        "data": {
          "file": "MSCoree.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:59,564",
        "eid": 27,
        "data": {
          "file": "PGORT80.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:59,674",
        "eid": 28,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 19:59:59,861",
        "eid": 29,
        "data": {
          "file": "mscoree.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:00,424",
        "eid": 30,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\GCStressStart",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:00,424",
        "eid": 31,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:00,424",
        "eid": 32,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\GCStressStart",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:00,424",
        "eid": 33,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:00,486",
        "eid": 34,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
          "pathtofile": null,
          "moduleaddress": "0x737e0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:00,486",
        "eid": 35,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:00,486",
        "eid": 36,
        "data": {
          "file": "USER32.dll",
          "pathtofile": null,
          "moduleaddress": "0x75d10000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:00,752",
        "eid": 37,
        "data": {
          "file": "mscorwks.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:00,861",
        "eid": 38,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:01,064",
        "eid": 39,
        "data": {
          "file": "advapi32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:01,689",
        "eid": 40,
        "data": {
          "file": "mscoree.dll",
          "pathtofile": null,
          "moduleaddress": "0x74160000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:01,689",
        "eid": 41,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:01,830",
        "eid": 42,
        "data": {
          "file": "mscoree.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:01,830",
        "eid": 43,
        "data": {
          "file": "mscoree.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:02,221",
        "eid": 44,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:02,299",
        "eid": 45,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:02,408",
        "eid": 46,
        "data": {
          "file": "ntdll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:02,408",
        "eid": 47,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:02,502",
        "eid": 48,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:02,971",
        "eid": 49,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:02,971",
        "eid": 50,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:02,971",
        "eid": 51,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:02,971",
        "eid": 52,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:02,971",
        "eid": 53,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:02,971",
        "eid": 54,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:02,971",
        "eid": 55,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:02,971",
        "eid": 56,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:02,971",
        "eid": 57,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:02,971",
        "eid": 58,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:02,971",
        "eid": 59,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:02,971",
        "eid": 60,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:02,971",
        "eid": 61,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:02,971",
        "eid": 62,
        "data": {
          "file": "advapi32",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:02,971",
        "eid": 63,
        "data": {
          "file": "advapi32",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:02,986",
        "eid": 64,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:02,986",
        "eid": 65,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\NGen\\Policy\\v2.0\\OptimizeUsedBinaries",
          "content": "1"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:02,986",
        "eid": 66,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:03,033",
        "eid": 67,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:03,033",
        "eid": 68,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:03,377",
        "eid": 69,
        "data": {
          "file": "advapi32.dll",
          "pathtofile": null,
          "moduleaddress": "0x76ea0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:03,377",
        "eid": 70,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:03,377",
        "eid": 71,
        "data": {
          "file": "shell32.dll",
          "pathtofile": null,
          "moduleaddress": "0x77590000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:03,377",
        "eid": 72,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:03,408",
        "eid": 73,
        "data": {
          "file": "api-ms-win-eventing-provider-l1-1-0.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:03,408",
        "eid": 74,
        "data": {
          "file": "api-ms-win-core-synch-l1-2-0.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:03,408",
        "eid": 75,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:04,346",
        "eid": 76,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": "0x76ab0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:04,361",
        "eid": 77,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:04,361",
        "eid": 78,
        "data": {
          "file": "Kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:04,361",
        "eid": 79,
        "data": {
          "file": "Kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:04,580",
        "eid": 80,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,627",
        "eid": 81,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
          "content": "12"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,627",
        "eid": 82,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
          "content": "12"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,658",
        "eid": 83,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\indexc\\NIUsageMask",
          "content": "\\xff\\xe1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,658",
        "eid": 84,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\indexc\\ILUsageMask",
          "content": "\\xff\\xff\\xff\\xf1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,658",
        "eid": 85,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\DisplayName",
          "content": "mscorlib,2.0.0.0,,b77a5c561934e089"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,658",
        "eid": 86,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\ConfigMask",
          "content": "4361"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,658",
        "eid": 87,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\ConfigString",
          "content": ""
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,658",
        "eid": 88,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\MVID",
          "content": "\\x07\\xfe\\xde\\xcf;\\x96LM&\\xa6\\xec\\x99B&\\xef\\xe4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,705",
        "eid": 89,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\EvalationData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,705",
        "eid": 90,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\Status",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,705",
        "eid": 91,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\ILDependencies",
          "content": "\\xc5\\xe2Py\\xba{\\xb8\\x0c\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,705",
        "eid": 92,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\NIDependencies",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,705",
        "eid": 93,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\1\\MissingDependencies",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,721",
        "eid": 94,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\DisplayName",
          "content": "mscorlib,2.0.0.0,,b77a5c561934e089"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,721",
        "eid": 95,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\Status",
          "content": "8198"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,721",
        "eid": 96,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\Modules",
          "content": "sortkey.nlp|sorttbls.nlp|big5.nlp|bopomofo.nlp|ksc.nlp|prc.nlp|prcp.nlp|xjis.nlp|normidna.nlp|normnfc.nlp|normnfd.nlp|normnfkc.nlp|normnfkd.nlp"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,721",
        "eid": 97,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\SIG",
          "content": "\\xb23\\xc7M\\xdf\\xb0\\xb0D\\xba\\xbf+\\xb7\\xcf\\xfd\\xf4\\xab\\x91th\\x7f\\xa9w\\xa2\\xc6\\xae\\xd2Yqa\\xe9\\xe1\\x81\\x9d\\xe9K\\xa9"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,721",
        "eid": 98,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\cb87bba\\1\\LastModTime",
          "content": "m\\xa7>\\xfb\\x06\\xac\\xdc\\x01"
        }
      },
      {
        "event": "write",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,721",
        "eid": 99,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:04,721",
        "eid": 100,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
          "content": "m\\xa7>\\xfb\\x06\\xac\\xdc\\x01"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:05,393",
        "eid": 101,
        "data": {
          "file": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\07fedecf3b964c4d26a6ec994226efe4\\mscorlib.ni.dll",
          "pathtofile": null,
          "moduleaddress": "0x72be0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:05,393",
        "eid": 102,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:05,721",
        "eid": 103,
        "data": {
          "file": "MSCORWKS.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:05,721",
        "eid": 104,
        "data": {
          "file": "mscorjit.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:06,361",
        "eid": 105,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
          "pathtofile": null,
          "moduleaddress": "0x00000000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:06,361",
        "eid": 106,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:06,361",
        "eid": 107,
        "data": {
          "file": "ole32.dll",
          "pathtofile": null,
          "moduleaddress": "0x77060000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:06,361",
        "eid": 108,
        "data": {
          "file": "C:\\Windows\\system32\\rpcss.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:06,361",
        "eid": 109,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:06,361",
        "eid": 110,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:06,361",
        "eid": 111,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:06,361",
        "eid": 112,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:06,377",
        "eid": 113,
        "data": {
          "file": "C:\\Windows\\System32\\uxtheme.dll",
          "pathtofile": null,
          "moduleaddress": "0x745d0000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:06,377",
        "eid": 114,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme",
          "content": "1"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:06,377",
        "eid": 115,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:06,377",
        "eid": 116,
        "data": {
          "file": "ole32.dll",
          "pathtofile": null,
          "moduleaddress": "0x77060000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:06,377",
        "eid": 117,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:06,705",
        "eid": 118,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
          "content": "12"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:06,830",
        "eid": 119,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": "0x76ab0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:06,830",
        "eid": 120,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:07,455",
        "eid": 121,
        "data": {
          "file": "AdvApi32.dll",
          "pathtofile": null,
          "moduleaddress": "0x76ea0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:07,455",
        "eid": 122,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:07,455",
        "eid": 123,
        "data": {
          "file": "mscoree.dll",
          "pathtofile": null,
          "moduleaddress": "0x74160000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:07,455",
        "eid": 124,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:08,018",
        "eid": 125,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
          "pathtofile": null,
          "moduleaddress": "0x72b80000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:08,018",
        "eid": 126,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:08,018",
        "eid": 127,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:09,424",
        "eid": 128,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,002",
        "eid": 129,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
          "content": "5"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,002",
        "eid": 130,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index5",
          "content": "\\x1f"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,002",
        "eid": 131,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
          "content": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:10,018",
        "eid": 132,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:10,018",
        "eid": 133,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,080",
        "eid": 134,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\DisplayName",
          "content": "System,2.0.0.0,,b77a5c561934e089"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,080",
        "eid": 135,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\ConfigMask",
          "content": "4361"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,080",
        "eid": 136,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\ConfigString",
          "content": ""
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,080",
        "eid": 137,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\MVID",
          "content": "\\xc6\r\\xd1\\xee\\x84;\\xa8\\xff\\x9e\\xe7\\xed\\xcdc\\x029;"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,080",
        "eid": 138,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\EvalationData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,080",
        "eid": 139,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\Status",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,080",
        "eid": 140,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\ILDependencies",
          "content": "\\xd8\\xd4KB\\xd5\\x04\\xc5\\x0c\\x06\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00W\\x8d\\xab\\x19t&\\xa3.\\x07\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00O\\xfeP?\\xe6\\xad\\xb2G\\x08\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,080",
        "eid": 141,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\NIDependencies",
          "content": "\\xc68\\x19\\x18\\xc5\\xe2Py\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,080",
        "eid": 142,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\8\\MissingDependencies",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,080",
        "eid": 143,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\DisplayName",
          "content": "System.Configuration,2.0.0.0,,b03f5f7f11d50a3a"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,080",
        "eid": 144,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\Status",
          "content": "4098"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,096",
        "eid": 145,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\Modules",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,096",
        "eid": 146,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\SIG",
          "content": ";\\xf2\\x93\\x1d\\xca\\xffYI\\xab\\xdc&X\\x07\\xe4$-!M\\xd0D\\x87\\xd2\\xcbu\\xd7)\\x06\\xd2\\xf2\\x1b\\x07\n{\\xefi\\xab"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,096",
        "eid": 147,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\cc504d5\\6\\LastModTime",
          "content": "Zk\\xb2'\\x07\\xac\\xdc\\x01"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,096",
        "eid": 148,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\DisplayName",
          "content": "System.Xml,2.0.0.0,,b77a5c561934e089"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,096",
        "eid": 149,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\Status",
          "content": "4098"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,096",
        "eid": 150,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\Modules",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,096",
        "eid": 151,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\SIG",
          "content": "\\xb2\\x1aNYhyhC\\xa1\\xe5\\x96\\xe9\\x9a\\xf9@\\xad\\x19-\\x99{\\x90v\\xc4\\xa3+&d\\x93s{\\x8e\\xce\\x92\\x18\\xc5\\xc6"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,096",
        "eid": 152,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\2ea32674\\7\\LastModTime",
          "content": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,096",
        "eid": 153,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\DisplayName",
          "content": "System,2.0.0.0,,b77a5c561934e089"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,096",
        "eid": 154,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\Status",
          "content": "4098"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,096",
        "eid": 155,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\Modules",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,096",
        "eid": 156,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\SIG",
          "content": "\\xd40\\\\x82\\xcf\\xa4LF\\xb7\\xeb\\xb8\\x14XT\\xd1\\xf81\\x82\\x8d\\xfa\\x12E\\x8d}\\x7f\\x90'\\xf5\\xa5\\x82\\xdb\\x0c\\x14c\\x12\\x1a"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,096",
        "eid": 157,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\47b2ade6\\8\\LastModTime",
          "content": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,096",
        "eid": 158,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
          "content": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,096",
        "eid": 159,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
          "content": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:10,096",
        "eid": 160,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
          "content": "Zk\\xb2'\\x07\\xac\\xdc\\x01"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:10,814",
        "eid": 161,
        "data": {
          "file": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\c60dd1ee843ba8ff9ee7edcd6302393b\\System.ni.dll",
          "pathtofile": null,
          "moduleaddress": "0x723d0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:10,830",
        "eid": 162,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:10,971",
        "eid": 163,
        "data": {
          "file": "MSCORWKS.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:10,971",
        "eid": 164,
        "data": {
          "file": "mscorjit.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:11,611",
        "eid": 165,
        "data": {
          "file": "mscoree.dll",
          "pathtofile": null,
          "moduleaddress": "0x74160000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:11,611",
        "eid": 166,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:11,611",
        "eid": 167,
        "data": {
          "file": "ole32.dll",
          "pathtofile": null,
          "moduleaddress": "0x77060000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:11,611",
        "eid": 168,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:11,814",
        "eid": 169,
        "data": {
          "file": "kernel32",
          "pathtofile": null,
          "moduleaddress": "0x76ab0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:11,814",
        "eid": 170,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:13,393",
        "eid": 171,
        "data": {
          "file": "advapi32.dll",
          "pathtofile": null,
          "moduleaddress": "0x76ea0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:13,393",
        "eid": 172,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:13,408",
        "eid": 173,
        "data": {
          "file": "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\psapi.dll",
          "pathtofile": null,
          "moduleaddress": "0x00000000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:13,408",
        "eid": 174,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:13,424",
        "eid": 175,
        "data": {
          "file": "psapi.dll",
          "pathtofile": null,
          "moduleaddress": "0x76a70000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:13,424",
        "eid": 176,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:14,299",
        "eid": 177,
        "data": {
          "file": "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll",
          "pathtofile": null,
          "moduleaddress": "0x07cd0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:14,299",
        "eid": 178,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:14,549",
        "eid": 179,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\VERSION.dll",
          "pathtofile": null,
          "moduleaddress": "0x00000000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:14,549",
        "eid": 180,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:14,549",
        "eid": 181,
        "data": {
          "file": "VERSION.dll",
          "pathtofile": null,
          "moduleaddress": "0x75460000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 182,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\DisplayName",
          "content": "System.Windows.Forms,2.0.0.0,,b77a5c561934e089"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 183,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\ConfigMask",
          "content": "4361"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 184,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\ConfigString",
          "content": ""
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 185,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\MVID",
          "content": "\\x19N\\x1e\\x92\\xbf\\xaeS\\x96\\x08e\\x18\\xc2\\xec\n\\x0ft"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 186,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\EvalationData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 187,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\Status",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 188,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\ILDependencies",
          "content": "@\\xce]G\\xb6\\xf9\\x10\\x19\\x02\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00W\\x8d\\xab\\x19t&\\xa3.\\x07\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xac\\xd6-\\xb7\\xf8\\xf1%\\x03\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\xd4KB\\xd5\\x04\\xc5\\x0c\\x06\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00~L\\xc0AT\\xf5Wz\\x1d\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc5Y\\xed<\\x00\\xa2\\x0bb\\x0e\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x10\\x99\\x0cX\\xb0\\xeb\\x7f\\x1e\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 189,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\NIDependencies",
          "content": "\\xc68\\x19\\x18\\xc5\\xe2Py\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00O|\\xbc0O\\xfeP?\\x08\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\x06\\xca<\\xc0\\xd4\\xc7m\\x0f\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 190,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\e\\MissingDependencies",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 191,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\DisplayName",
          "content": "System.Security,2.0.0.0,,b03f5f7f11d50a3a"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 192,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\Status",
          "content": "4098"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 193,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\Modules",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 194,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\SIG",
          "content": "\\x08\\x03VdL\\xe0}B\\xb3\\x80\\x140i\\xbf^\\xfcT0=\\xdb\\xb5\\x9b\\x9b[1\\xba\\xbe\\xf8I\\x1e\n\\x06G\\xa7\\xbf "
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 195,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\1910f9b6\\2\\LastModTime",
          "content": "\\xa3k\\xc9@\\x07\\xac\\xdc\\x01"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 196,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\DisplayName",
          "content": "Accessibility,2.0.0.0,,b03f5f7f11d50a3a"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 197,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\Status",
          "content": "4098"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 198,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\Modules",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 199,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\SIG",
          "content": "z\\xb1\\xaa^\\x82\\x82\\x9bJ\\x84\\x94\\xe5%\\x92\\xf5P\r\\xd2\\xaf\\x11Z\\xf2&\\x19R\\x02V\\x821_\\\\xabW\\xeb\\xe8\\xb4\\xef"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 200,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\25f1f8b7\\3\\LastModTime",
          "content": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 201,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\DisplayName",
          "content": "System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 202,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\Status",
          "content": "4098"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 203,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\Modules",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 204,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\SIG",
          "content": "P\\xd0O\\xcbR]\\x90@\\x85\\x86M\\x87\\x82\r\\xa8\\xdd~\\x17\\xf4\\xe2\\x84\\xca\\x8c\\xfd-\\xacs\\xce\\xf7 \\xc3/\\xb3\\xcft\\xbf"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 205,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7a57f554\\1d\\LastModTime",
          "content": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 206,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\DisplayName",
          "content": "System.Deployment,2.0.0.0,,b03f5f7f11d50a3a"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 207,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\Status",
          "content": "4098"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 208,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\Modules",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 209,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\SIG",
          "content": "\\xe1\\x8a\\xf5\\x0e\\xe2q\\x8bN\\x97\nB#\\x17\\x8a\\xe6\\xf3\\xe4i\\x1a\\xeeJVa\\\\xcb\\x0ff)\\x08UQ\\x86\\x80E\\x08\\x1a"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 210,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\620ba200\\e\\LastModTime",
          "content": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 211,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\DisplayName",
          "content": "System.Windows.Forms,2.0.0.0,,b77a5c561934e089"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 212,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\Status",
          "content": "4098"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 213,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\Modules",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 214,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\SIG",
          "content": "\\x84\\xda\\xb9\\xe2\\xe1\\5I\\x8c\\xe5a\\xb1\\xb8\\x91\\xd5\\xf7\\xeeKz\\x06#R\\x17\\xc9\\xbf0\\xed\\xbb\\x91p\\x9a#Zk@\\xd5"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 215,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\7febb058\\1e\\LastModTime",
          "content": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 216,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\DisplayName",
          "content": "System.Drawing,2.0.0.0,,b03f5f7f11d50a3a"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 217,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\ConfigMask",
          "content": "4361"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 218,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\ConfigString",
          "content": ""
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 219,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\MVID",
          "content": "\\xa0=\\xd8\\x87\\x19)\\x95\\h\\x022h,\\x94d\\xa0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 220,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\EvalationData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 221,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\Status",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 222,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\ILDependencies",
          "content": "\\xc0\\xd4\\xc7m\\x16\\x96\\x94$\\x10\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 223,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\NIDependencies",
          "content": "\\xc68\\x19\\x18\\xc5\\xe2Py\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00O|\\xbc0O\\xfeP?\\x08\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 224,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\f\\MissingDependencies",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 225,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\DisplayName",
          "content": "System.Drawing,2.0.0.0,,b03f5f7f11d50a3a"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 226,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\Status",
          "content": "4098"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 227,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\Modules",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 228,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\SIG",
          "content": "\\x7fX\\xbb\\xfa\\x0e\\xf2\\xcbD\\x91\\xf4^\\x19\\xf6\r\r\\x0c\\xab\\x0eq\\xfcgB\\x12\\xe3\\xe8\\xe5\\x99Q\\x80\\xb8\\x0bu\\xdc\\x16\\x14?"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 229,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\24949616\\10\\LastModTime",
          "content": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 230,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
          "content": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:14,564",
        "eid": 231,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
          "content": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:15,064",
        "eid": 232,
        "data": {
          "file": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\a03dd8871929955c680232682c9464a0\\System.Drawing.ni.dll",
          "pathtofile": null,
          "moduleaddress": "0x72240000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:15,064",
        "eid": 233,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:15,064",
        "eid": 234,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
          "content": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:15,064",
        "eid": 235,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
          "content": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:15,064",
        "eid": 236,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
          "content": "\\x00.\\xa1\\xe9;\\xac\\xd5\\x01"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:15,080",
        "eid": 237,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
          "content": "\\xa3k\\xc9@\\x07\\xac\\xdc\\x01"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:15,721",
        "eid": 238,
        "data": {
          "file": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\194e1e92bfae5396086518c2ec0a0f74\\System.Windows.Forms.ni.dll",
          "pathtofile": null,
          "moduleaddress": "0x71660000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:15,721",
        "eid": 239,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:15,768",
        "eid": 240,
        "data": {
          "file": "MSCORWKS.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:15,768",
        "eid": 241,
        "data": {
          "file": "mscorjit.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:15,768",
        "eid": 242,
        "data": {
          "file": "MSCORWKS.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:15,768",
        "eid": 243,
        "data": {
          "file": "mscorjit.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:15,908",
        "eid": 244,
        "data": {
          "file": "user32.dll",
          "pathtofile": null,
          "moduleaddress": "0x75d10000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:15,908",
        "eid": 245,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:15,986",
        "eid": 246,
        "data": {
          "file": "user32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:15,986",
        "eid": 247,
        "data": {
          "file": "gdi32.dll",
          "pathtofile": null,
          "moduleaddress": "0x76a80000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:15,986",
        "eid": 248,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:15,986",
        "eid": 249,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:15,986",
        "eid": 250,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:16,080",
        "eid": 251,
        "data": {
          "file": "C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089\\System.Runtime.Remoting.dll",
          "pathtofile": null,
          "moduleaddress": "0x07e70000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:16,080",
        "eid": 252,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:16,502",
        "eid": 253,
        "data": {
          "file": "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ws2_32.dll",
          "pathtofile": null,
          "moduleaddress": "0x00000000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:16,518",
        "eid": 254,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:16,518",
        "eid": 255,
        "data": {
          "file": "ws2_32.dll",
          "pathtofile": null,
          "moduleaddress": "0x76640000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:16,518",
        "eid": 256,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:16,580",
        "eid": 257,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:16,580",
        "eid": 258,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType",
          "content": "Client"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:16,596",
        "eid": 259,
        "data": {
          "file": "C:\\Windows\\System32\\mswsock.dll",
          "pathtofile": null,
          "moduleaddress": "0x747c0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:16,596",
        "eid": 260,
        "data": {
          "file": "C:\\Windows\\System32\\mswsock.dll",
          "pathtofile": null,
          "moduleaddress": "0x747c0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:16,830",
        "eid": 261,
        "data": {
          "file": "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.dll",
          "pathtofile": null,
          "moduleaddress": "0x07f40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:16,830",
        "eid": 262,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:17,564",
        "eid": 263,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\DisplayName",
          "content": "System.Xml,2.0.0.0,,b77a5c561934e089"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:17,564",
        "eid": 264,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\ConfigMask",
          "content": "4361"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:17,564",
        "eid": 265,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\ConfigString",
          "content": ""
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:17,564",
        "eid": 266,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\MVID",
          "content": "\\xba\\xe2N\\x9b\\xcb\\xc0\\x1b\\xb2\\xa0\\xedO\\xa7Q4pA"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:17,564",
        "eid": 267,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\EvalationData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:17,564",
        "eid": 268,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\Status",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:17,564",
        "eid": 269,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\ILDependencies",
          "content": "\\xd8\\xd4KB\\xd5\\x04\\xc5\\x0c\\x06\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xee\\x8fcu';Y\\x11\\x05\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00W\\x8d\\xab\\x19t&\\xa3.\\x07\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:17,564",
        "eid": 270,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\NIDependencies",
          "content": "\\xc68\\x19\\x18\\xc5\\xe2Py\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00O|\\xbc0O\\xfeP?\\x08\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:17,564",
        "eid": 271,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\7\\MissingDependencies",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:17,564",
        "eid": 272,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\DisplayName",
          "content": "System.Data.SqlXml,2.0.0.0,,b77a5c561934e089"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:17,564",
        "eid": 273,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\Status",
          "content": "4098"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:17,564",
        "eid": 274,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\Modules",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:17,580",
        "eid": 275,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\SIG",
          "content": "9S\\x1e/K\\x98DN\\xa1\\xa3^\\xba\\xd8\\xae\\xa3M\\x85\\x11\\x9b\\x17\\x815z^\\x15:\\xb8\\xb7\\x13\\x01\\xd4)\\xebl\\xb1\\x90"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:17,580",
        "eid": 276,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\11593b27\\5\\LastModTime",
          "content": "\\x00\\xe8\\xdd\\xc5;\\xac\\xd5\\x01"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:17,580",
        "eid": 277,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL",
          "content": "\\x00\\xe8\\xdd\\xc5;\\xac\\xd5\\x01"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:17,721",
        "eid": 278,
        "data": {
          "file": "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\bae24e9bcbc01bb2a0ed4fa751347041\\System.Xml.ni.dll",
          "pathtofile": null,
          "moduleaddress": "0x71120000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:17,721",
        "eid": 279,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:17,721",
        "eid": 280,
        "data": {
          "file": "MSCORWKS.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:17,721",
        "eid": 281,
        "data": {
          "file": "mscorjit.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:17,939",
        "eid": 282,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:17,939",
        "eid": 283,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:18,049",
        "eid": 284,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:18,049",
        "eid": 285,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:18,064",
        "eid": 286,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:18,064",
        "eid": 287,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:18,127",
        "eid": 288,
        "data": {
          "file": "C:\\Windows\\System32\\rsaenh.dll",
          "pathtofile": null,
          "moduleaddress": "0x74c10000"
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:18,143",
        "eid": 289,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:18,361",
        "eid": 290,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:18,361",
        "eid": 291,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:18,424",
        "eid": 292,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:18,674",
        "eid": 293,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\Library",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:18,689",
        "eid": 294,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\Library",
          "content": "%systemroot%\\system32\\netfxperf.dll"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:18,689",
        "eid": 295,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\IsMultiInstance",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:18,689",
        "eid": 296,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\IsMultiInstance",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:18,689",
        "eid": 297,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\First Counter",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:18,689",
        "eid": 298,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\First Counter",
          "content": "6828"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:18,689",
        "eid": 299,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\CategoryOptions",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:18,689",
        "eid": 300,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\CategoryOptions",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:18,689",
        "eid": 301,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\FileMappingSize",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:18,689",
        "eid": 302,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\FileMappingSize",
          "content": "131072"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:18,689",
        "eid": 303,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\Counter Names",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:18,689",
        "eid": 304,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\.NET CLR Networking\\Performance\\Counter Names",
          "content": "C\\x00o\\x00n\\x00n\\x00e\\x00c\\x00t\\x00i\\x00o\\x00n\\x00s\\x00 \\x00E\\x00s\\x00t\\x00a\\x00b\\x00l\\x00i\\x00s\\x00h\\x00e\\x00d\\x00\\x00\\x00B\\x00y\\x00t\\x00e\\x00s\\x00 \\x00R\\x00e\\x00c\\x00e\\x00i\\x00v\\x00e\\x00d\\x00\\x00\\x00B\\x00y\\x00t\\x00e\\x00s\\x00 \\x00S\\x00e\\x00n\\x00t\\x00\\x00\\x00D\\x00a\\x00t\\x00a\\x00g\\x00r\\x00a\\x00m\\x00s\\x00 \\x00R\\x00e\\x00c\\x00e\\x00i\\x00v\\x00e\\x00d\\x00\\x00\\x00D\\x00a\\x00t\\x00a\\x00g\\x00r\\x00a\\x00m\\x00s\\x00 \\x00S\\x00e\\x00n\\x00t\\x00\\x00\\x00\\x00\\x00"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:18,705",
        "eid": 305,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:18,705",
        "eid": 306,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest",
          "content": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:18,721",
        "eid": 307,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest",
          "content": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:18,830",
        "eid": 308,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:18,830",
        "eid": 309,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:18,830",
        "eid": 310,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:18,830",
        "eid": 311,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:18,877",
        "eid": 312,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:18,924",
        "eid": 313,
        "data": {
          "file": "Advapi32.dll",
          "pathtofile": null,
          "moduleaddress": "0x76ea0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:18,924",
        "eid": 314,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:18,924",
        "eid": 315,
        "data": {
          "file": "Kernel32",
          "pathtofile": null,
          "moduleaddress": "0x76ab0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:18,924",
        "eid": 316,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:18,955",
        "eid": 317,
        "data": {
          "file": "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\uxtheme.dll",
          "pathtofile": null,
          "moduleaddress": "0x00000000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:18,955",
        "eid": 318,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:18,955",
        "eid": 319,
        "data": {
          "file": "uxtheme.dll",
          "pathtofile": null,
          "moduleaddress": "0x745d0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:18,955",
        "eid": 320,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:18,955",
        "eid": 321,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:19,268",
        "eid": 322,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:19,424",
        "eid": 323,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Culture.dll",
          "pathtofile": null,
          "moduleaddress": "0x70b00000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:19,424",
        "eid": 324,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:19,439",
        "eid": 325,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:19,486",
        "eid": 326,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:19,502",
        "eid": 327,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest",
          "content": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:19,518",
        "eid": 328,
        "data": {
          "file": "advapi32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:19,518",
        "eid": 329,
        "data": {
          "file": "advapi32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:19,564",
        "eid": 330,
        "data": {
          "file": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\bcrypt.dll",
          "pathtofile": null,
          "moduleaddress": "0x00000000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:19,564",
        "eid": 331,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:19,564",
        "eid": 332,
        "data": {
          "file": "bcrypt.dll",
          "pathtofile": null,
          "moduleaddress": "0x76160000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:19,564",
        "eid": 333,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:19,564",
        "eid": 334,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:19,564",
        "eid": 335,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:19,564",
        "eid": 336,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:19,643",
        "eid": 337,
        "data": {
          "file": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:19,689",
        "eid": 338,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:19,705",
        "eid": 339,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Gdiplus.dll",
          "pathtofile": null,
          "moduleaddress": "0x00000000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:19,705",
        "eid": 340,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:20,064",
        "eid": 341,
        "data": {
          "file": "gdiplus.dll",
          "pathtofile": null,
          "moduleaddress": "0x709a0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:20,064",
        "eid": 342,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:20,064",
        "eid": 343,
        "data": {
          "file": "user32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:20,096",
        "eid": 344,
        "data": {
          "file": "gdi32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:20,111",
        "eid": 345,
        "data": {
          "file": "C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\\GdiPlus.dll",
          "pathtofile": null,
          "moduleaddress": "0x709a0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:20,111",
        "eid": 346,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,236",
        "eid": 347,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\FontCache\\Parameters\\ClientCacheSize",
          "content": "4194304"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,236",
        "eid": 348,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,408",
        "eid": 349,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,408",
        "eid": 350,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,455",
        "eid": 351,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,549",
        "eid": 352,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ca-ES",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,549",
        "eid": 353,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ca-ES",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,549",
        "eid": 354,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\cs-CZ",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,549",
        "eid": 355,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\cs-CZ",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,549",
        "eid": 356,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\da-DK",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,549",
        "eid": 357,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\da-DK",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,549",
        "eid": 358,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\de-DE",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,549",
        "eid": 359,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\de-DE",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,549",
        "eid": 360,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\el-GR",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,549",
        "eid": 361,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\el-GR",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,549",
        "eid": 362,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\es-ES_tradnl",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 363,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\es-ES_tradnl",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 364,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\fi-FI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 365,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\fi-FI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 366,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\fr-FR",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 367,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\fr-FR",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 368,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\hu-HU",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 369,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\hu-HU",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 370,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\it-IT",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 371,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\it-IT",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 372,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\nl-NL",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 373,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\nl-NL",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 374,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\nb-NO",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 375,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\nb-NO",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 376,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\pl-PL",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 377,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\pl-PL",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 378,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\pt-BR",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 379,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\pt-BR",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 380,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\sk-SK",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 381,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\sk-SK",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 382,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\sv-SE",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 383,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\sv-SE",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 384,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\tr-TR",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 385,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\tr-TR",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 386,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\sl-SI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 387,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\sl-SI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 388,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\eu-ES",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 389,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\eu-ES",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 390,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\es-MX",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 391,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\es-MX",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 392,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\pt-PT",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 393,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\pt-PT",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 394,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\es-ES",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 395,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\es-ES",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 396,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\fr-CA",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,564",
        "eid": 397,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\fr-CA",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,580",
        "eid": 398,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\vi-VN",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,580",
        "eid": 399,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\vi-VN",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,908",
        "eid": 400,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ko-kr",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,908",
        "eid": 401,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ko-kr",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,924",
        "eid": 402,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\zh-hk",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,924",
        "eid": 403,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\zh-hk",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,924",
        "eid": 404,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\zh-tw",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,924",
        "eid": 405,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\zh-tw",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,971",
        "eid": 406,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\zh-cn",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:20,971",
        "eid": 407,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\zh-cn",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:21,018",
        "eid": 408,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ja-jp",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:21,018",
        "eid": 409,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ja-jp",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:21,127",
        "eid": 410,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\zh-sg",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:21,127",
        "eid": 411,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\zh-sg",
          "content": null
        }
      },
      {
        "event": "execute",
        "object": "file",
        "timestamp": "2026-04-16 20:00:21,283",
        "eid": 412,
        "data": {
          "file": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:21,674",
        "eid": 413,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\he-IL",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:21,674",
        "eid": 414,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\he-IL",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,596",
        "eid": 415,
        "data": {
          "file": "WindowsCodecs.dll",
          "pathtofile": null,
          "moduleaddress": "0x70360000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,752",
        "eid": 416,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest",
          "content": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,768",
        "eid": 417,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 418,
        "data": {
          "file": "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\comctl32.dll",
          "pathtofile": null,
          "moduleaddress": "0x00000000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 419,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,908",
        "eid": 420,
        "data": {
          "file": "comctl32.dll",
          "pathtofile": null,
          "moduleaddress": "0x70150000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,908",
        "eid": 421,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 422,
        "data": {
          "file": "user32",
          "pathtofile": null,
          "moduleaddress": "0x75d10000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,002",
        "eid": 423,
        "data": {
          "file": "comctl32.dll",
          "pathtofile": null,
          "moduleaddress": "0x70150000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,018",
        "eid": 424,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,018",
        "eid": 425,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 426,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\CTF\\EnableAnchorContext",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 427,
        "data": {
          "file": "USER32",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,893",
        "eid": 428,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,893",
        "eid": 429,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,205",
        "eid": 430,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,205",
        "eid": 431,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath",
          "content": "C:\\Windows\\Fonts\\staticcache.dat"
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:25,205",
        "eid": 432,
        "data": {
          "file": "C:\\Windows\\Fonts\\StaticCache.dat"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:25,705",
        "eid": 433,
        "data": {
          "file": "C:\\Windows\\assembly\\GAC_MSIL\\mscorlib.resources\\2.0.0.0_ru_b77a5c561934e089\\mscorlib.resources.dll",
          "pathtofile": null,
          "moduleaddress": "0x0a170000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:25,705",
        "eid": 434,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,752",
        "eid": 435,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,752",
        "eid": 436,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2",
          "content": "SimSun-ExtB"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,752",
        "eid": 437,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,752",
        "eid": 438,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,752",
        "eid": 439,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,752",
        "eid": 440,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,752",
        "eid": 441,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,752",
        "eid": 442,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,752",
        "eid": 443,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,752",
        "eid": 444,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,752",
        "eid": 445,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,752",
        "eid": 446,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,752",
        "eid": 447,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,768",
        "eid": 448,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,768",
        "eid": 449,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,768",
        "eid": 450,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:25,768",
        "eid": 451,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,814",
        "eid": 452,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,861",
        "eid": 453,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,861",
        "eid": 454,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
          "content": "C:\\Windows\\SysWOW64\\mscoree.dll"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:25,861",
        "eid": 455,
        "data": {
          "file": "C:\\Windows\\SysWOW64\\mscoree.dll",
          "pathtofile": null,
          "moduleaddress": "0x74160000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:25,861",
        "eid": 456,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,861",
        "eid": 457,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,861",
        "eid": 458,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
          "content": "diasymreader.dll"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,861",
        "eid": 459,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\AlwaysReadHKCRForCLSIDs",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,986",
        "eid": 460,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,986",
        "eid": 461,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
          "content": "diasymreader.dll"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:27,393",
        "eid": 462,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:27,580",
        "eid": 463,
        "data": {
          "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll",
          "pathtofile": null,
          "moduleaddress": "0x705c0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:27,580",
        "eid": 464,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:27,721",
        "eid": 465,
        "data": {
          "file": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:27,721",
        "eid": 466,
        "data": {
          "file": "C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:27,721",
        "eid": 467,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:27,721",
        "eid": 468,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
          "content": "C:\\Windows\\SysWOW64\\mscoree.dll"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:27,721",
        "eid": 469,
        "data": {
          "file": "C:\\Windows\\SysWOW64\\mscoree.dll",
          "pathtofile": null,
          "moduleaddress": "0x74160000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:27,721",
        "eid": 470,
        "data": {
          "file": null,
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:27,799",
        "eid": 471,
        "data": {
          "file": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll"
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:27,799",
        "eid": 472,
        "data": {
          "file": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll"
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:27,799",
        "eid": 473,
        "data": {
          "file": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll"
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:27,814",
        "eid": 474,
        "data": {
          "file": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll"
        }
      },
      {
        "event": "read",
        "object": "file",
        "timestamp": "2026-04-16 20:00:27,814",
        "eid": 475,
        "data": {
          "file": "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:21,643",
        "eid": 476,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:21,643",
        "eid": 477,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:21,643",
        "eid": 478,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:21,643",
        "eid": 479,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:21,643",
        "eid": 480,
        "data": {
          "file": "KERNEL32",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:21,643",
        "eid": 481,
        "data": {
          "file": "msvcrt.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:21,643",
        "eid": 482,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:21,643",
        "eid": 483,
        "data": {
          "file": "MSCoree.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:21,643",
        "eid": 484,
        "data": {
          "file": "PGORT80.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:21,643",
        "eid": 485,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:21,643",
        "eid": 486,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:21,643",
        "eid": 487,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:21,643",
        "eid": 488,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:21,643",
        "eid": 489,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:21,799",
        "eid": 490,
        "data": {
          "file": "C:\\Windows\\System32\\wer.dll",
          "pathtofile": null,
          "moduleaddress": "0x705a0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:21,799",
        "eid": 491,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:21,830",
        "eid": 492,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest",
          "content": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:21,846",
        "eid": 493,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx",
          "content": "kernel32.dll"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:21,846",
        "eid": 494,
        "data": {
          "file": "kernel32.dll",
          "pathtofile": null,
          "moduleaddress": "0x76ab0000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:21,861",
        "eid": 495,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:21,861",
        "eid": 496,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:21,861",
        "eid": 497,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:21,861",
        "eid": 498,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,346",
        "eid": 499,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,346",
        "eid": 500,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,346",
        "eid": 501,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\LogFlags",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,346",
        "eid": 502,
        "data": {
          "file": "api-ms-win-eventing-provider-l1-1-0.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,346",
        "eid": 503,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\CommercialDataOptIn",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,346",
        "eid": 504,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,346",
        "eid": 505,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiOverridePath",
          "content": "C:\\Windows\\AppCompat\\Programs\\Amcache.hve.tmp"
        }
      },
      {
        "event": "delete",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,346",
        "eid": 506,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiOverridePath"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,346",
        "eid": 507,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,346",
        "eid": 508,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,346",
        "eid": 509,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiOverridePath",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,346",
        "eid": 510,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,346",
        "eid": 511,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,346",
        "eid": 512,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,346",
        "eid": 513,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiHivePermissionsCorrect",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,346",
        "eid": 514,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiHiveOwnerCorrect",
          "content": "1"
        }
      },
      {
        "event": "delete",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,361",
        "eid": 515,
        "data": {
          "regkey": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\PermissionsCheckTestKey"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,361",
        "eid": 516,
        "data": {
          "regkey": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\ProviderVersion",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,361",
        "eid": 517,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,361",
        "eid": 518,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,361",
        "eid": 519,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiOverridePath",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,361",
        "eid": 520,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,361",
        "eid": 521,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,361",
        "eid": 522,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiOverridePath",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,361",
        "eid": 523,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,361",
        "eid": 524,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,377",
        "eid": 525,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,377",
        "eid": 526,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiHivePermissionsCorrect",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,377",
        "eid": 527,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\AmiHiveOwnerCorrect",
          "content": "1"
        }
      },
      {
        "event": "delete",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,377",
        "eid": 528,
        "data": {
          "regkey": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\PermissionsCheckTestKey"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,377",
        "eid": 529,
        "data": {
          "regkey": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\ProviderVersion",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,377",
        "eid": 530,
        "data": {
          "file": "kernel32",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,471",
        "eid": 531,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,518",
        "eid": 532,
        "data": {
          "file": "sfc.dll",
          "pathtofile": null,
          "moduleaddress": "0x66680000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,596",
        "eid": 533,
        "data": {
          "file": "C:\\Windows\\System32\\rsaenh.dll",
          "pathtofile": null,
          "moduleaddress": "0x74c10000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,596",
        "eid": 534,
        "data": {
          "file": "C:\\Windows\\System32\\bcryptprimitives.dll",
          "pathtofile": null,
          "moduleaddress": "0x76d80000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,611",
        "eid": 535,
        "data": {
          "regkey": "\\REGISTRY\\A\\{f1f4584e-2bf2-22db-1ed1-80a56f8d1c82}\\Root\\InventoryApplicationFile\\ProviderSyncId",
          "content": "{57852d72-bcea-4e97-b753-abb8f58c9301}"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,611",
        "eid": 536,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,611",
        "eid": 537,
        "data": {
          "file": "wdscore.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,627",
        "eid": 538,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineID",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,627",
        "eid": 539,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineID",
          "content": "{DEA0B215-B8D4-44C0-B1F3-E3A7DA9D6FC6}"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,627",
        "eid": 540,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,674",
        "eid": 541,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,674",
        "eid": 542,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 543,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\NewUserDefaultConsent",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 544,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 545,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 546,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 547,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 548,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 549,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 550,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\CLR20r3",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 551,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 552,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 553,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 554,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 555,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 556,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BrokerUp\\CLR20r3",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 557,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 558,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 559,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 560,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 561,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 562,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 563,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 564,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 565,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 566,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 567,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 568,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 569,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 570,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 571,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 572,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 573,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 574,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 575,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\CLR20r3",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 576,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 577,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 578,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 579,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 580,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 581,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 582,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 583,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 584,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 585,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 586,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 587,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 588,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 589,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 590,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BrokerUp\\CLR20r3",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 591,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 592,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 593,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 594,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 595,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 596,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 597,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 598,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 599,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 600,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Source",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 601,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\User",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 602,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\StorePath",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 603,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 604,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 605,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 606,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 607,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 608,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 609,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 610,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 611,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 612,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 613,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 614,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 615,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,689",
        "eid": 616,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,705",
        "eid": 617,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,705",
        "eid": 618,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,705",
        "eid": 619,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 620,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x702d0000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 621,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 622,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 623,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 624,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 625,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 626,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 627,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 628,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 629,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 630,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 631,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 632,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 633,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 634,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 635,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 636,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 637,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 638,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 639,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 640,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 641,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 642,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,783",
        "eid": 643,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 644,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x700c0000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 645,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 646,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 647,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 648,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 649,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 650,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 651,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 652,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 653,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 654,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 655,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 656,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 657,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 658,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 659,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 660,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 661,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 662,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 663,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 664,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 665,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 666,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 667,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 668,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x700c0000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,799",
        "eid": 669,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 670,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 671,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 672,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 673,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 674,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 675,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 676,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 677,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 678,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 679,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 680,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 681,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 682,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 683,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 684,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 685,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 686,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 687,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 688,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 689,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 690,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 691,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\NewUserDefaultConsent",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 692,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 693,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 694,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 695,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 696,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 697,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 698,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 699,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 700,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 701,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 702,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 703,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 704,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 705,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 706,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 707,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 708,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 709,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 710,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 711,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 712,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 713,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 714,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 715,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 716,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 717,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,814",
        "eid": 718,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 719,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 720,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 721,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 722,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 723,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 724,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 725,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 726,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 727,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 728,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 729,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 730,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 731,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 732,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 733,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 734,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 735,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 736,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 737,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 738,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 739,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 740,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 741,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 742,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 743,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 744,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Source",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 745,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\User",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 746,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\StorePath",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 747,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 748,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 749,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 750,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 751,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 752,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 753,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 754,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 755,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 756,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 757,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 758,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 759,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 760,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 761,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 762,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,830",
        "eid": 763,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 764,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x700c0000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 765,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 766,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 767,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 768,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 769,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 770,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 771,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 772,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 773,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 774,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 775,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 776,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 777,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 778,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 779,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 780,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 781,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 782,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 783,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 784,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 785,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 786,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,846",
        "eid": 787,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 788,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x700c0000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 789,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 790,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 791,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 792,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 793,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 794,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 795,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 796,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 797,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 798,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 799,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 800,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 801,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 802,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 803,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 804,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 805,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 806,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 807,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 808,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 809,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 810,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,861",
        "eid": 811,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 812,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x700c0000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 813,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 814,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 815,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 816,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 817,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 818,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 819,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 820,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 821,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 822,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 823,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 824,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 825,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 826,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 827,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 828,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 829,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 830,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 831,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,877",
        "eid": 832,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,893",
        "eid": 833,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,893",
        "eid": 834,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,908",
        "eid": 835,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\NewUserDefaultConsent",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 836,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 837,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 838,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 839,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 840,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 841,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 842,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 843,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 844,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 845,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 846,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 847,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 848,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 849,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 850,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 851,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 852,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 853,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 854,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 855,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 856,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 857,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 858,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 859,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 860,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 861,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 862,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 863,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 864,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 865,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 866,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 867,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 868,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 869,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 870,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 871,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 872,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 873,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 874,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 875,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 876,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 877,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 878,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 879,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 880,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 881,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 882,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 883,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 884,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 885,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 886,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 887,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 888,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Source",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 889,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\User",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 890,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\StorePath",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 891,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 892,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 893,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 894,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 895,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 896,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 897,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 898,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 899,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 900,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 901,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 902,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 903,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 904,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 905,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 906,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,924",
        "eid": 907,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 908,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x700c0000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 909,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 910,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 911,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 912,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 913,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 914,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 915,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 916,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 917,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 918,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 919,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 920,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 921,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 922,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 923,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 924,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 925,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 926,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 927,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 928,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 929,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 930,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,939",
        "eid": 931,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 932,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x700c0000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 933,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 934,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 935,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 936,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 937,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 938,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 939,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 940,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 941,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 942,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 943,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 944,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 945,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 946,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 947,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 948,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 949,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 950,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 951,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 952,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 953,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 954,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,955",
        "eid": 955,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 956,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x700c0000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 957,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 958,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 959,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 960,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 961,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 962,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 963,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 964,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 965,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 966,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 967,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 968,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 969,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 970,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 971,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 972,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 973,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 974,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 975,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 976,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 977,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:22,971",
        "eid": 978,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,033",
        "eid": 979,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,033",
        "eid": 980,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 981,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\NewUserDefaultConsent",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 982,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 983,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 984,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 985,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 986,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 987,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 988,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 989,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 990,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 991,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 992,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 993,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 994,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 995,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 996,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 997,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 998,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 999,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1000,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1001,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1002,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1003,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1004,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1005,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1006,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1007,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1008,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1009,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1010,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1011,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1012,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1013,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1014,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1015,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1016,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1017,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1018,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1019,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1020,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1021,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1022,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1023,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1024,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1025,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1026,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1027,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1028,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1029,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1030,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1031,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1032,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1033,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1034,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Source",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1035,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\User",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1036,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\StorePath",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1037,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1038,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1039,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1040,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1041,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1042,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1043,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1044,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1045,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1046,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1047,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1048,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1049,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1050,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1051,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1052,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,064",
        "eid": 1053,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1054,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x70000000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1055,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1056,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1057,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1058,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1059,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1060,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1061,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1062,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1063,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1064,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1065,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1066,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1067,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1068,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1069,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1070,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1071,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1072,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1073,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1074,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1075,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1076,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,080",
        "eid": 1077,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1078,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x70000000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1079,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1080,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1081,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1082,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1083,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1084,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1085,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1086,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1087,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1088,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1089,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1090,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1091,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1092,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1093,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1094,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1095,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1096,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1097,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1098,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1099,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1100,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,096",
        "eid": 1101,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1102,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x70000000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1103,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1104,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1105,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1106,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1107,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1108,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1109,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1110,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1111,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1112,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1113,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1114,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1115,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1116,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1117,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1118,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1119,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1120,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1121,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1122,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1123,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,111",
        "eid": 1124,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest",
          "content": null
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1125,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1126,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1127,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1128,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1129,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1130,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
          "content": "Windows 10 Pro"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1131,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1132,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID",
          "content": "Professional"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1133,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Ubr",
          "content": "2006"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1134,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UBR",
          "content": "2006"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1135,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1136,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx",
          "content": "19041.1.amd64fre.vb_release.191206-1406"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1137,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildBranch",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1138,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildBranch",
          "content": "vb_release"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1139,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1140,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
          "content": "Multiprocessor Free"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1141,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1142,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1143,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1144,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1145,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1146,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1147,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1148,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,143",
        "eid": 1149,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,158",
        "eid": 1150,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,158",
        "eid": 1151,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,158",
        "eid": 1152,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,158",
        "eid": 1153,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,158",
        "eid": 1154,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,158",
        "eid": 1155,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,158",
        "eid": 1156,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,158",
        "eid": 1157,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,221",
        "eid": 1158,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,221",
        "eid": 1159,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,221",
        "eid": 1160,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,221",
        "eid": 1161,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,221",
        "eid": 1162,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,221",
        "eid": 1163,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,221",
        "eid": 1164,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,221",
        "eid": 1165,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,221",
        "eid": 1166,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,221",
        "eid": 1167,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,236",
        "eid": 1168,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,236",
        "eid": 1169,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,236",
        "eid": 1170,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,236",
        "eid": 1171,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,236",
        "eid": 1172,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,236",
        "eid": 1173,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1174,
        "data": {
          "file": "api-ms-win-eventing-provider-l1-1-0.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1175,
        "data": {
          "file": "api-ms-win-core-synch-l1-2-0.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1176,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1177,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Category",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1178,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Name",
          "content": "Cache"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1179,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\ParentFolder",
          "content": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1180,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Description",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1181,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\RelativePath",
          "content": "Microsoft\\Windows\\INetCache"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1182,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\ParsingName",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1183,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\InfoTip",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1184,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\LocalizedName",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1185,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Icon",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1186,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Security",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1187,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\StreamResource",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1188,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\StreamResourceType",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1189,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\LocalRedirectOnly",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1190,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Roamable",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1191,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\PreCreate",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1192,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Stream",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1193,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\PublishExpandedPath",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1194,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\DefinitionFlags",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1195,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\Attributes",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1196,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\FolderTypeID",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1197,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\\InitFolderHandler",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1198,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Cache",
          "content": "%USERPROFILE%\\AppData\\Local\\Microsoft\\Windows\\INetCache"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1199,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru-RU",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,252",
        "eid": 1200,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\ru",
          "content": "{0000004A-57EE-1E5C-00B4-D0000BB1E11E}"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,268",
        "eid": 1201,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,268",
        "eid": 1202,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,268",
        "eid": 1203,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:23,268",
        "eid": 1204,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:23,283",
        "eid": 1205,
        "data": {
          "file": "Kernel32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:23,283",
        "eid": 1206,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,205",
        "eid": 1207,
        "data": {
          "file": "imm32.dll",
          "pathtofile": null,
          "moduleaddress": "0x774e0000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,205",
        "eid": 1208,
        "data": {
          "file": "Comctl32.dll",
          "pathtofile": null,
          "moduleaddress": "0x6fd80000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,205",
        "eid": 1209,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineID",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,205",
        "eid": 1210,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineID",
          "content": "{DEA0B215-B8D4-44C0-B1F3-E3A7DA9D6FC6}"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,205",
        "eid": 1211,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,205",
        "eid": 1212,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer",
          "content": "QEMU"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,205",
        "eid": 1213,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,205",
        "eid": 1214,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion",
          "content": "rel-1.16.3-0-ga6ed6b7-prebuilt.qemu.org"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,205",
        "eid": 1215,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,205",
        "eid": 1216,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName",
          "content": "Standard PC (Q35 + ICH9, 2009)"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,205",
        "eid": 1217,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\InstallDate",
          "content": "1772654483"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,205",
        "eid": 1218,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\Stats\\EndTimeStamp",
          "content": "\\xea\\x07\\x03\\x00\\x03\\x00\\x04\\x00\\x14\\x00\\x00\\x00\\x15\\x00L\\x03"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,205",
        "eid": 1219,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,221",
        "eid": 1220,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest",
          "content": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,221",
        "eid": 1221,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest",
          "content": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,236",
        "eid": 1222,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ContainerType",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,236",
        "eid": 1223,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ContainerId",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,252",
        "eid": 1224,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineID",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,252",
        "eid": 1225,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineID",
          "content": "{DEA0B215-B8D4-44C0-B1F3-E3A7DA9D6FC6}"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,283",
        "eid": 1226,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagLevel",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,283",
        "eid": 1227,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\crypt32\\DiagMatchAnyMask",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,283",
        "eid": 1228,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,283",
        "eid": 1229,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,283",
        "eid": 1230,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,283",
        "eid": 1231,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,283",
        "eid": 1232,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,299",
        "eid": 1233,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000\\ProfileImagePath",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,299",
        "eid": 1234,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000\\ProfileImagePath",
          "content": "C:\\Users\\cape"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,393",
        "eid": 1235,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\Control Panel\\International\\Geo\\Nation",
          "content": "203"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,393",
        "eid": 1236,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\608",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,393",
        "eid": 1237,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UBR",
          "content": "2006"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,393",
        "eid": 1238,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\TelemetryProtocolServerRoles",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,393",
        "eid": 1239,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\Stats\\EndTimeStamp",
          "content": "\\xea\\x07\\x03\\x00\\x03\\x00\\x04\\x00\\x14\\x00\\x00\\x00\\x15\\x00L\\x03"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,393",
        "eid": 1240,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\9292",
          "content": "2"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,393",
        "eid": 1241,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\svcVersion",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,393",
        "eid": 1242,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\svcVersion",
          "content": "11.789.19041.0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,393",
        "eid": 1243,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\svcUpdateVersion",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,393",
        "eid": 1244,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\svcUpdateVersion",
          "content": "11.0.1000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,393",
        "eid": 1245,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,393",
        "eid": 1246,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID",
          "content": "Professional"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,393",
        "eid": 1247,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\9197",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,393",
        "eid": 1248,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\35",
          "content": "8192"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,393",
        "eid": 1249,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12729",
          "content": "99"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1250,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12730",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1251,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12736",
          "content": "191206"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1252,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12737",
          "content": "1406"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1253,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildBranch",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1254,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildBranch",
          "content": "vb_release"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1255,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1256,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
          "content": "Multiprocessor Free"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1257,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12675",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1258,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12676",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1259,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12677",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1260,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12678",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1261,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UBR",
          "content": "2006"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1262,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1263,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx",
          "content": "19041.1.amd64fre.vb_release.191206-1406"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1264,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildBranch",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1265,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildBranch",
          "content": "vb_release"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1266,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Flighting\\Build\\UpdateID",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,408",
        "eid": 1267,
        "data": {
          "file": "C:\\Windows\\system32\\rpcss.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,424",
        "eid": 1268,
        "data": {
          "file": "oleaut32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,424",
        "eid": 1269,
        "data": {
          "file": "oleaut32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,424",
        "eid": 1270,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ContainerType",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,424",
        "eid": 1271,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ContainerId",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,424",
        "eid": 1272,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,424",
        "eid": 1273,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivationType",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,424",
        "eid": 1274,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\Server",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,439",
        "eid": 1275,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\DllPath",
          "content": "C:\\Windows\\System32\\twinapi.appcore.dll"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,439",
        "eid": 1276,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\Threading",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,439",
        "eid": 1277,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\TrustLevel",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,439",
        "eid": 1278,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\RemoteServer",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,439",
        "eid": 1279,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivateAsUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,439",
        "eid": 1280,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivateInSharedBroker",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,439",
        "eid": 1281,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivateInBrokerForMediumILContainer",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,439",
        "eid": 1282,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\Permissions",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,439",
        "eid": 1283,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Profile.EducationSettings\\ActivateOnHostFlags",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,439",
        "eid": 1284,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,627",
        "eid": 1285,
        "data": {
          "file": "C:\\Windows\\System32\\twinapi.appcore.dll",
          "pathtofile": null,
          "moduleaddress": "0x6fa40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,627",
        "eid": 1286,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SharedPC\\EduSharedPCMode",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,658",
        "eid": 1287,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,658",
        "eid": 1288,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
          "content": "combase.dll"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,658",
        "eid": 1289,
        "data": {
          "file": "combase.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,658",
        "eid": 1290,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,658",
        "eid": 1291,
        "data": {
          "file": "oleaut32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,658",
        "eid": 1292,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,658",
        "eid": 1293,
        "data": {
          "file": "oleaut32.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,658",
        "eid": 1294,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\8073",
          "content": "1"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,658",
        "eid": 1295,
        "data": {
          "file": "C:\\Windows\\System32\\ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,658",
        "eid": 1296,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\OEM\\DeviceForm",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,658",
        "eid": 1297,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\OEM\\DeviceForm",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,658",
        "eid": 1298,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1299,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer",
          "content": "QEMU"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1300,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1301,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion",
          "content": "rel-1.16.3-0-ga6ed6b7-prebuilt.qemu.org"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1302,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1303,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName",
          "content": "Standard PC (Q35 + ICH9, 2009)"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1304,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\10433",
          "content": "8192"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1305,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\31",
          "content": "2"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1306,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\~MHz",
          "content": "2600"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1307,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\4573",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1308,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\4572",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1309,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1310,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString",
          "content": "Intel(R) Xeon(R) CPU E5-2689 0 @ 2.60GHz"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1311,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\4575",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1312,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\9290",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1313,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemSKU",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1314,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemSKU",
          "content": ""
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1315,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\ComputerHardwareId",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1316,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\ComputerHardwareId",
          "content": "{081218f3-79c6-50d9-9cbe-2ba7d440c011}"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1317,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12728",
          "content": "100"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1318,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineId",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1319,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MachineId",
          "content": "{DEA0B215-B8D4-44C0-B1F3-E3A7DA9D6FC6}"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1320,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1321,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1322,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC\\RacSampleNumber",
          "content": "94547845"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1323,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\CorporateSQMURL",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1324,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\CommercialId",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1325,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1326,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\CommercialId",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1327,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CommonDatapoints\\12674",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1328,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1329,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,674",
        "eid": 1330,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1331,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x6fb40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1332,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1333,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1334,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1335,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1336,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1337,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1338,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1339,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1340,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1341,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1342,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1343,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1344,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1345,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1346,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1347,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1348,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1349,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1350,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1351,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1352,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,689",
        "eid": 1353,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1354,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1355,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x6fb40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1356,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1357,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1358,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1359,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1360,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1361,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1362,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1363,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1364,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1365,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1366,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1367,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1368,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1369,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1370,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1371,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1372,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,705",
        "eid": 1373,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1374,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1375,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1376,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1377,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1378,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1379,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x6fb40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1380,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1381,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1382,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1383,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1384,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1385,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1386,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1387,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1388,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1389,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1390,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1391,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1392,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1393,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1394,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1395,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1396,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1397,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1398,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1399,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,721",
        "eid": 1400,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x6fb40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1401,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1402,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\Behavior",
          "content": "139296"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1403,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\MergeAlgorithm",
          "content": "2"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1404,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1405,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1406,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1407,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicyname",
          "content": "AllowCommercialDataPipeline"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1408,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicypath",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1409,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicypath",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1410,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicyismultisz",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1411,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\grouppolicymultiszSeparatorChar",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1412,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1413,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1414,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1415,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1416,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowCommercialDataPipeline\\Value",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1417,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowCommercialDataPipeline",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1418,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowCommercialDataPipeline",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1419,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1420,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\Behavior",
          "content": "139296"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1421,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\MergeAlgorithm",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1422,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1423,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1424,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1425,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicyname",
          "content": "AllowDesktopAnalyticsProcessing"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1426,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicypath",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1427,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicypath",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1428,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicyismultisz",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1429,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\grouppolicymultiszSeparatorChar",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1430,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1431,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1432,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1433,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1434,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowDesktopAnalyticsProcessing\\Value",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1435,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowDesktopAnalyticsProcessing",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1436,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowDesktopAnalyticsProcessing",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1437,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1438,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\Behavior",
          "content": "32"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1439,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\MergeAlgorithm",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1440,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1441,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1442,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1443,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1444,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1445,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1446,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1447,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowMicrosoftManagedDesktopProcessing\\Value",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1448,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1449,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\Behavior",
          "content": "139296"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1450,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\MergeAlgorithm",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1451,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1452,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1453,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1454,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicyname",
          "content": "AllowUpdateComplianceProcessing"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1455,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicypath",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1456,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicypath",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1457,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicyismultisz",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1458,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\grouppolicymultiszSeparatorChar",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1459,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1460,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1461,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1462,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1463,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowUpdateComplianceProcessing\\Value",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1464,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowUpdateComplianceProcessing",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1465,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowUpdateComplianceProcessing",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1466,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1467,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\Behavior",
          "content": "139296"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1468,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\MergeAlgorithm",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1469,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1470,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1471,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1472,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicyname",
          "content": "AllowWUfBCloudProcessing"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1473,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicypath",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1474,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicypath",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1475,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicyismultisz",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1476,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\grouppolicymultiszSeparatorChar",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1477,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1478,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1479,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1480,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1481,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing\\Value",
          "content": "0"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1482,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowWUfBCloudProcessing",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1483,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowWUfBCloudProcessing",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1484,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1485,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\NewUserDefaultConsent",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1486,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1487,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1488,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1489,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1490,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1491,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1492,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1493,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1494,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1495,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1496,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1497,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1498,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1499,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,736",
        "eid": 1500,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1501,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1502,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1503,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1504,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1505,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1506,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1507,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1508,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1509,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1510,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1511,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1512,
        "data": {
          "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1513,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1514,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1515,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1516,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1517,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1518,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1519,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1520,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1521,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1522,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1523,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1524,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1525,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1526,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1527,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1528,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1529,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1530,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1531,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1532,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1533,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1534,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1535,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1536,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1537,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1538,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Source",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1539,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\User",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1540,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\StorePath",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1541,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1542,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1543,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1544,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1545,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1546,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1547,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1548,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1549,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1550,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1551,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1552,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1553,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1554,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1555,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1556,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1557,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1558,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x6fb40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1559,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1560,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1561,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1562,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1563,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1564,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1565,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1566,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1567,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1568,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1569,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1570,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1571,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1572,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1573,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1574,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1575,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,752",
        "eid": 1576,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1577,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1578,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1579,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1580,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1581,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1582,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x6fb40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1583,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1584,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1585,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1586,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1587,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1588,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1589,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1590,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1591,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1592,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1593,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1594,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1595,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1596,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1597,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1598,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1599,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1600,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1601,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1602,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1603,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1604,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1605,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1606,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x6fb40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1607,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1608,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1609,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1610,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1611,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1612,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1613,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1614,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1615,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1616,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1617,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1618,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1619,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1620,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1621,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1622,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1623,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1624,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1625,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,768",
        "eid": 1626,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,783",
        "eid": 1627,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,783",
        "eid": 1628,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest",
          "content": null
        }
      },
      {
        "event": "write",
        "object": "file",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1629,
        "data": {
          "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1630,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1631,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1632,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1633,
        "data": {
          "file": "policymanager.dll",
          "pathtofile": null,
          "moduleaddress": "0x6fb40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1634,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\PolicyType",
          "content": "4"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1635,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Behavior",
          "content": "73777"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1636,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\MergeAlgorithm",
          "content": "1"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1637,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirectMapped",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1638,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1639,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegKeyPathRedirect",
          "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1640,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1641,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\RegValueNameRedirect",
          "content": "AllowTelemetry_PolicyManager"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1642,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\grouppolicyname",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1643,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataUser",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1644,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataDevice",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1645,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\ADMXMetadataBoth",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1646,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\30Value",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1647,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\AllowTelemetry\\Value",
          "content": "3"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1648,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1649,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry_PolicyManager",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,908",
        "eid": 1650,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,924",
        "eid": 1651,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:24,924",
        "eid": 1652,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": "0x77e40000"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:24,924",
        "eid": 1653,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\AllowTelemetry",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,268",
        "eid": 1654,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceNativeDump",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:25,408",
        "eid": 1655,
        "data": {
          "file": "KERNEL32.DLL",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:25,408",
        "eid": 1656,
        "data": {
          "file": "mscoree.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1657,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1658,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1659,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1660,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1661,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000\\ProfileImagePath",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1662,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3749840076-4109591986-3192690632-1000\\ProfileImagePath",
          "content": "C:\\Users\\cape"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1663,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1664,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
          "content": "C:\\Program Files (x86)\\Common Files"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1665,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir (x86)",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1666,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir (x86)",
          "content": "C:\\Program Files (x86)\\Common Files"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1667,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1668,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
          "content": "C:\\Program Files (x86)"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1669,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1670,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)",
          "content": "C:\\Program Files (x86)"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1671,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1672,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
          "content": "%SystemDrive%\\ProgramData"
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1673,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\Public",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1674,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\Public",
          "content": "%SystemDrive%\\Users\\Public"
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1675,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1676,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1677,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,689",
        "eid": 1678,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
          "content": null
        }
      },
      {
        "event": "read",
        "object": "registry",
        "timestamp": "2026-04-16 20:00:25,705",
        "eid": 1679,
        "data": {
          "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck",
          "content": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:25,705",
        "eid": 1680,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      },
      {
        "event": "load",
        "object": "library",
        "timestamp": "2026-04-16 20:00:25,705",
        "eid": 1681,
        "data": {
          "file": "ntdll.dll",
          "pathtofile": null,
          "moduleaddress": null
        }
      }
    ],
    "encryptedbuffers": [],
    "network_map": {
      "endpoint_map": {},
      "http_host_map": {},
      "dns_intents": {},
      "http_requests": [],
      "winhttp_sessions": []
    }
  },
  "debug": {
    "log": "2026-03-05 20:34:39,741 [root] INFO: Date set to: 20260416T22:58:50, timeout set to: 200\n2026-04-16 22:58:50,127 [root] DEBUG: Starting analyzer from: C:\\ltb6yatm\n2026-04-16 22:58:50,174 [root] DEBUG: Storing results at: C:\\GFDlBJVSH\n2026-04-16 22:58:50,236 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\vrJeuDCE\n2026-04-16 22:58:50,252 [root] DEBUG: Python path: C:\\Python310\n2026-04-16 22:58:50,252 [root] INFO: analysis running as an admin\n2026-04-16 22:58:50,267 [root] INFO: analysis package specified: \"exe\"\n2026-04-16 22:58:50,283 [root] DEBUG: importing analysis package module: \"modules.packages.exe\"...\n2026-04-16 22:58:50,283 [root] DEBUG: imported analysis package \"exe\"\n2026-04-16 22:58:50,283 [root] DEBUG: initializing analysis package \"exe\"...\n2026-04-16 22:58:50,283 [lib.common.common] INFO: wrapping\n2026-04-16 22:58:50,439 [lib.core.compound] INFO: C:\\Users\\cape\\AppData\\Local\\Temp already exists, skipping creation\n2026-04-16 22:58:50,439 [root] DEBUG: New location of moved file: C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe\n2026-04-16 22:58:50,439 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option\n2026-04-16 22:58:50,439 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option\n2026-04-16 22:58:50,439 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option\n2026-04-16 22:58:50,439 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option\n2026-04-16 22:58:50,580 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2026-04-16 22:58:51,049 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2026-04-16 22:58:51,096 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2026-04-16 22:58:51,142 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2026-04-16 22:58:51,314 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2026-04-16 22:58:51,361 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'\n2026-04-16 22:58:51,471 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'\n2026-04-16 22:58:52,596 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance\n2026-04-16 22:58:52,596 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2026-04-16 22:58:52,596 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2026-04-16 22:58:52,596 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2026-04-16 22:58:52,596 [root] DEBUG: attempting to configure 'Browser' from data\n2026-04-16 22:58:52,611 [root] DEBUG: module Browser does not support data configuration, ignoring\n2026-04-16 22:58:52,611 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2026-04-16 22:58:52,611 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2026-04-16 22:58:52,611 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2026-04-16 22:58:52,611 [root] DEBUG: attempting to configure 'DigiSig' from data\n2026-04-16 22:58:52,611 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2026-04-16 22:58:52,611 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2026-04-16 22:58:52,611 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2026-04-16 22:59:35,002 [modules.auxiliary.digisig] DEBUG: File is not signed\n2026-04-16 22:59:35,002 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2026-04-16 22:59:35,033 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2026-04-16 22:59:35,033 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2026-04-16 22:59:35,033 [root] DEBUG: attempting to configure 'Disguise' from data\n2026-04-16 22:59:35,033 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2026-04-16 22:59:35,033 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2026-04-16 22:59:35,049 [modules.auxiliary.disguise] INFO: Disguising GUID to c79e2fb7-598a-4fbc-a1d8-465fdc4783c7\n2026-04-16 22:59:35,049 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2026-04-16 22:59:35,049 [root] DEBUG: Initialized auxiliary module \"Human\"\n2026-04-16 22:59:35,064 [root] DEBUG: attempting to configure 'Human' from data\n2026-04-16 22:59:35,064 [root] DEBUG: module Human does not support data configuration, ignoring\n2026-04-16 22:59:35,064 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2026-04-16 22:59:35,080 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2026-04-16 22:59:35,096 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2026-04-16 22:59:35,096 [root] DEBUG: attempting to configure 'Screenshots' from data\n2026-04-16 22:59:35,096 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2026-04-16 22:59:35,096 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2026-04-16 22:59:35,147 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2026-04-16 22:59:35,147 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2026-04-16 22:59:35,147 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2026-04-16 22:59:35,158 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2026-04-16 22:59:35,158 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2026-04-16 22:59:35,158 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 644\n2026-04-16 22:59:35,221 [lib.api.process] INFO: Monitor config for <Process 644 lsass.exe>: C:\\ltb6yatm\\dll\\644.ini\n2026-04-16 22:59:35,330 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor\n2026-04-16 22:59:35,549 [lib.api.process] INFO: 64-bit DLL to inject is C:\\ltb6yatm\\dll\\EsVCTJE.dll, loader C:\\ltb6yatm\\bin\\OwUbvZkT.exe\n2026-04-16 22:59:35,752 [root] DEBUG: Loader: Injecting process 644 with C:\\ltb6yatm\\dll\\EsVCTJE.dll.\n2026-04-16 22:59:37,330 [root] DEBUG: 644: Python path set to 'C:\\Python310'.\n2026-04-16 22:59:37,361 [root] DEBUG: 644: Disabling sleep skipping.\n2026-04-16 22:59:37,377 [root] DEBUG: 644: TLS secret dump mode enabled.\n2026-04-16 22:59:37,564 [root] DEBUG: 644: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500\n2026-04-16 22:59:37,564 [root] DEBUG: 644: Monitor initialised: 64-bit capemon loaded in process 644 at 0x00007FFEABE10000, thread 3476, image base 0x00007FF7C23E0000, stack from 0x0000008E4CB71000-0x0000008E4CB80000\n2026-04-16 22:59:37,564 [root] DEBUG: 644: Commandline: C:\\Windows\\system32\\lsass.exe\n2026-04-16 22:59:37,658 [root] DEBUG: 644: Hooked 5 out of 5 functions\n2026-04-16 22:59:37,658 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2026-04-16 22:59:37,658 [root] DEBUG: Successfully injected DLL C:\\ltb6yatm\\dll\\EsVCTJE.dll.\n2026-04-16 22:59:37,674 [lib.api.process] INFO: Injected into 64-bit <Process 644 lsass.exe>\n2026-04-16 22:59:37,674 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2026-04-16 22:59:37,892 [root] DEBUG: 644: TLS 1.2 secrets logged to: C:\\GFDlBJVSH\\tlsdump\\tlsdump.log\n2026-04-16 22:59:47,267 [root] INFO: Restarting WMI Service\n2026-04-16 22:59:47,330 [root] DEBUG: package modules.packages.exe does not support configure, ignoring\n2026-04-16 22:59:47,346 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'\n2026-04-16 22:59:47,346 [lib.core.compound] INFO: C:\\Users\\cape\\AppData\\Local\\Temp already exists, skipping creation\n2026-04-16 22:59:47,752 [lib.api.process] INFO: Successfully executed process from path \"C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe\" with arguments \"\" with pid 7684\n2026-04-16 22:59:47,752 [lib.api.process] INFO: Monitor config for <Process 7684 NanoCore.exe>: C:\\ltb6yatm\\dll\\7684.ini\n2026-04-16 22:59:47,768 [lib.api.process] INFO: 32-bit DLL to inject is C:\\ltb6yatm\\dll\\chskHCV.dll, loader C:\\ltb6yatm\\bin\\SZJMBSm.exe\n2026-04-16 22:59:48,002 [root] DEBUG: Loader: Injecting process 7684 (thread 4344) with C:\\ltb6yatm\\dll\\chskHCV.dll.\n2026-04-16 22:59:48,002 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.\n2026-04-16 22:59:48,018 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.\n2026-04-16 22:59:48,018 [root] DEBUG: Successfully injected DLL C:\\ltb6yatm\\dll\\chskHCV.dll.\n2026-04-16 22:59:48,018 [lib.api.process] INFO: Injected into 32-bit <Process 7684 NanoCore.exe>\n2026-04-16 22:59:50,033 [lib.api.process] INFO: Successfully resumed <Process 7684 NanoCore.exe>\n2026-04-16 22:59:50,768 [root] DEBUG: 7684: Python path set to 'C:\\Python310'.\n2026-04-16 22:59:50,799 [root] DEBUG: 7684: Disabling sleep skipping.\n2026-04-16 22:59:50,799 [root] DEBUG: 7684: Dropped file limit defaulting to 100.\n2026-04-16 22:59:50,877 [root] DEBUG: 7684: YaraInit: Compiled 44 rule files\n2026-04-16 22:59:50,908 [root] DEBUG: 7684: YaraInit: Compiled rules saved to file C:\\ltb6yatm\\data\\yara\\capemon.yac\n2026-04-16 22:59:50,908 [root] DEBUG: 7684: YaraScan: Scanning 0x00B10000, size 0x218\n2026-04-16 22:59:50,908 [root] DEBUG: 7684: Monitor initialised: 32-bit capemon loaded in process 7684 at 0x73ea0000, thread 4344, image base 0xb10000, stack from 0x10f2000-0x1100000\n2026-04-16 22:59:50,908 [root] DEBUG: 7684: Commandline: \"C:\\Users\\cape\\AppData\\Local\\Temp\\NanoCore.exe\"\n2026-04-16 22:59:51,127 [root] DEBUG: 7684: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress\n2026-04-16 22:59:51,268 [root] WARNING: b'Unable to place hook on GetCommandLineA'\n2026-04-16 22:59:51,283 [root] DEBUG: 7684: set_hooks: Unable to hook GetCommandLineA\n2026-04-16 22:59:51,283 [root] WARNING: b'Unable to place hook on GetCommandLineW'\n2026-04-16 22:59:51,299 [root] DEBUG: 7684: set_hooks: Unable to hook GetCommandLineW\n2026-04-16 22:59:51,424 [root] DEBUG: 7684: Hooked 630 out of 632 functions\n2026-04-16 22:59:51,486 [root] DEBUG: 7684: Syscall hook installed, syscall logging level 1\n2026-04-16 22:59:51,502 [root] INFO: Loaded monitor into process with pid 7684\n2026-04-16 22:59:51,658 [root] DEBUG: 7684: DLL loaded at 0x73E10000: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei (0x8d000 bytes).\n2026-04-16 22:59:52,596 [root] DEBUG: 7684: set_hooks_by_export_directory: Hooked 0 out of 632 functions\n2026-04-16 22:59:52,596 [root] DEBUG: 7684: DLL loaded at 0x75250000: C:\\Windows\\SYSTEM32\\kernel.appcore (0xf000 bytes).\n2026-04-16 22:59:52,611 [root] DEBUG: 7684: DLL loaded at 0x75460000: C:\\Windows\\SYSTEM32\\VERSION (0x8000 bytes).\n2026-04-16 22:59:57,424 [root] DEBUG: 7684: InstrumentationCallback: Added region at 0x76AD24AC (base 0x76AB0000) to tracked regions list (thread 4344).\n2026-04-16 22:59:57,424 [root] DEBUG: 7684: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-04-16 22:59:58,534 [root] DEBUG: 7684: DLL loaded at 0x736E0000: C:\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\\MSVCR80 (0x9b000 bytes).\n2026-04-16 22:59:58,643 [root] DEBUG: 7684: set_hooks_by_export_directory: Hooked 0 out of 632 functions\n2026-04-16 22:59:58,658 [root] DEBUG: 7684: DLL loaded at 0x737E0000: C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks (0x621000 bytes).\n2026-04-16 23:00:03,252 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x02F6A000, size: 0x1000.\n2026-04-16 23:00:03,268 [root] DEBUG: 7684: GetEntropy: Error - Supplied address inaccessible: 0x02F60000\n2026-04-16 23:00:03,268 [root] DEBUG: 7684: AddTrackedRegion: GetEntropy failed.\n2026-04-16 23:00:03,268 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F60000.\n2026-04-16 23:00:03,377 [root] DEBUG: 7684: DLL loaded at 0x77590000: C:\\Windows\\System32\\shell32 (0x5b5000 bytes).\n2026-04-16 23:00:03,393 [root] DEBUG: 7684: DLL loaded at 0x756D0000: C:\\Windows\\SYSTEM32\\Wldp (0x27000 bytes).\n2026-04-16 23:00:03,408 [root] DEBUG: 7684: DLL loaded at 0x75700000: C:\\Windows\\SYSTEM32\\windows.storage (0x60d000 bytes).\n2026-04-16 23:00:03,408 [root] DEBUG: 7684: DLL loaded at 0x76F70000: C:\\Windows\\System32\\SHCORE (0x87000 bytes).\n2026-04-16 23:00:04,330 [root] DEBUG: 7684: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 4344).\n2026-04-16 23:00:04,346 [root] DEBUG: 7684: ProcessTrackedRegion: Region at 0x77150000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\KernelBase.dll is in known range, skipping\n2026-04-16 23:00:04,346 [root] DEBUG: 7684: DLL loaded at 0x75260000: C:\\Windows\\SYSTEM32\\profapi (0x18000 bytes).\n2026-04-16 23:00:05,393 [root] DEBUG: 7684: DLL loaded at 0x72BE0000: C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\07fedecf3b964c4d26a6ec994226efe4\\mscorlib.ni (0xb00000 bytes).\n2026-04-16 23:00:05,971 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x02F72000, size: 0x1000.\n2026-04-16 23:00:05,987 [root] DEBUG: 7684: GetEntropy: Error - Supplied address inaccessible: 0x02F70000\n2026-04-16 23:00:05,987 [root] DEBUG: 7684: AddTrackedRegion: GetEntropy failed.\n2026-04-16 23:00:06,362 [root] DEBUG: 7684: DLL loaded at 0x76D80000: C:\\Windows\\System32\\bcryptPrimitives (0x5f000 bytes).\n2026-04-16 23:00:06,377 [root] DEBUG: 7684: DLL loaded at 0x745D0000: C:\\Windows\\system32\\uxtheme (0x74000 bytes).\n2026-04-16 23:00:06,705 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F70000.\n2026-04-16 23:00:06,721 [root] DEBUG: 7684: caller_dispatch: Added region at 0x05730000 to tracked regions list (kernel32::SetErrorMode returns to 0x05730626, thread 4344).\n2026-04-16 23:00:06,721 [root] DEBUG: 7684: DumpPEsInRange: Scanning range 0x05730000 - 0x05730FFE.\n2026-04-16 23:00:06,737 [root] DEBUG: 7684: ScanForDisguisedPE: No PE image located in range 0x05730000-0x05730FFE.\n2026-04-16 23:00:06,799 [lib.common.results] INFO: Uploading file C:\\GFDlBJVSH\\CAPE\\7684_10041625602016442026 to CAPE\\fdc26f772969ee511a5d7efb14854e93192cc93a5a5a06677795c676b7b02b91; Size is 4094; Max size: 100000000\n2026-04-16 23:00:06,815 [root] DEBUG: 7684: DumpMemory: Payload successfully created: C:\\GFDlBJVSH\\CAPE\\7684_10041625602016442026 (size 4094 bytes)\n2026-04-16 23:00:06,815 [root] DEBUG: 7684: DumpRegion: Dumped entire allocation from 0x05730000, size 4096 bytes.\n2026-04-16 23:00:06,815 [root] DEBUG: 7684: ProcessTrackedRegion: Dumped region at 0x05730000.\n2026-04-16 23:00:06,830 [root] DEBUG: 7684: YaraScan: Scanning 0x05730000, size 0xffe\n2026-04-16 23:00:06,830 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x02FAB000, size: 0x1000.\n2026-04-16 23:00:06,830 [root] DEBUG: 7684: GetEntropy: Error - Supplied address inaccessible: 0x02FA0000\n2026-04-16 23:00:06,846 [root] DEBUG: 7684: AddTrackedRegion: GetEntropy failed.\n2026-04-16 23:00:06,846 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02FA0000.\n2026-04-16 23:00:07,080 [root] DEBUG: 7684: ReverseScanForNonZero: Error - Supplied size zero.\n2026-04-16 23:00:07,252 [lib.common.results] INFO: Uploading file C:\\GFDlBJVSH\\CAPE\\7684_996960702016442026 to CAPE\\cc1ac7194daa2648e44bdd561a682e0e9ed3c808978b881348f8a4080d151f19; Size is 534; Max size: 100000000\n2026-04-16 23:00:07,268 [root] DEBUG: 7684: DumpMemory: Payload successfully created: C:\\GFDlBJVSH\\CAPE\\7684_996960702016442026 (size 534 bytes)\n2026-04-16 23:00:07,283 [root] DEBUG: 7684: DumpRegion: Dumped region at 0x02F6A000, size 4096 bytes.\n2026-04-16 23:00:07,299 [root] DEBUG: 7684: ProcessTrackedRegion: Dumped region at 0x02F6A000.\n2026-04-16 23:00:07,299 [root] DEBUG: 7684: ReverseScanForNonZero: Error - Supplied address inaccessible: 0x02F60FFF\n2026-04-16 23:00:07,299 [root] DEBUG: 7684: YaraScan: Nothing to scan at 0x02F6A000!\n2026-04-16 23:00:07,455 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F70000.\n2026-04-16 23:00:07,862 [root] DEBUG: 7684: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-04-16 23:00:07,955 [root] DEBUG: 7684: DLL loaded at 0x72B80000: C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit (0x5b000 bytes).\n2026-04-16 23:00:08,252 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F70000.\n2026-04-16 23:00:08,408 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x07C60000, size: 0x1000.\n2026-04-16 23:00:08,408 [root] DEBUG: 7684: AddTrackedRegion: GetEntropy failed.\n2026-04-16 23:00:09,205 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x02F9A000, size: 0x1000.\n2026-04-16 23:00:09,689 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F90000.\n2026-04-16 23:00:09,689 [root] DEBUG: 7684: DumpPEsInRange: Scanning range 0x07C60000 - 0x07C60337.\n2026-04-16 23:00:09,689 [root] DEBUG: 7684: ScanForDisguisedPE: Size too small: 0x337 bytes\n2026-04-16 23:00:09,814 [lib.common.results] INFO: Uploading file C:\\GFDlBJVSH\\CAPE\\7684_7614705902016442026 to CAPE\\d9a05b5e933480cb3a0a75e9adf8cbc2c8f30ab0308ace4f6da94281910a9880; Size is 823; Max size: 100000000\n2026-04-16 23:00:09,830 [root] DEBUG: 7684: DumpMemory: Payload successfully created: C:\\GFDlBJVSH\\CAPE\\7684_7614705902016442026 (size 823 bytes)\n2026-04-16 23:00:09,830 [root] DEBUG: 7684: DumpRegion: Dumped entire allocation from 0x07C60000, size 4096 bytes.\n2026-04-16 23:00:09,830 [root] DEBUG: 7684: ProcessTrackedRegion: Dumped region at 0x07C60000.\n2026-04-16 23:00:09,830 [root] DEBUG: 7684: YaraScan: Scanning 0x07C60000, size 0x337\n2026-04-16 23:00:10,815 [root] DEBUG: 7684: DLL loaded at 0x723D0000: C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\c60dd1ee843ba8ff9ee7edcd6302393b\\System.ni (0x7a8000 bytes).\n2026-04-16 23:00:11,268 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F70000.\n2026-04-16 23:00:11,580 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07C60000.\n2026-04-16 23:00:11,705 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F70000.\n2026-04-16 23:00:11,721 [root] DEBUG: 7684: api-rate-cap: NtProtectVirtualMemory hook disabled due to rate\n2026-04-16 23:00:11,814 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07C60000.\n2026-04-16 23:00:13,408 [root] DEBUG: 7684: DLL loaded at 0x76A70000: C:\\Windows\\System32\\psapi (0x6000 bytes).\n2026-04-16 23:00:13,424 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F60000.\n2026-04-16 23:00:13,471 [root] DEBUG: 7684: api-rate-cap: NtReadVirtualMemory hook disabled due to rate\n2026-04-16 23:00:13,549 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x02F86000, size: 0x1000.\n2026-04-16 23:00:13,549 [root] DEBUG: 7684: GetEntropy: Error - Supplied address inaccessible: 0x02F80000\n2026-04-16 23:00:13,565 [root] DEBUG: 7684: AddTrackedRegion: GetEntropy failed.\n2026-04-16 23:00:13,565 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F80000.\n2026-04-16 23:00:13,565 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F80000.\n2026-04-16 23:00:14,283 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F70000.\n2026-04-16 23:00:14,408 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x07D80000, size: 0x1000.\n2026-04-16 23:00:14,408 [root] DEBUG: 7684: AddTrackedRegion: GetEntropy failed.\n2026-04-16 23:00:14,518 [root] DEBUG: 7684: DumpPEsInRange: Scanning range 0x02F70000 - 0x02F70015.\n2026-04-16 23:00:14,533 [root] DEBUG: 7684: ScanForDisguisedPE: Size too small: 0x15 bytes\n2026-04-16 23:00:14,533 [lib.common.results] INFO: Uploading file C:\\GFDlBJVSH\\CAPE\\7684_163673641402016442026 to CAPE\\9c5081d0edccacc1efd6579e5076ca888a0cb1ba5e338c4716a471729d425336; Size is 21; Max size: 100000000\n2026-04-16 23:00:14,549 [root] DEBUG: 7684: DumpMemory: Payload successfully created: C:\\GFDlBJVSH\\CAPE\\7684_163673641402016442026 (size 21 bytes)\n2026-04-16 23:00:14,549 [root] DEBUG: 7684: DumpRegion: Dumped entire allocation from 0x02F70000, size 4096 bytes.\n2026-04-16 23:00:14,549 [root] DEBUG: 7684: ProcessTrackedRegion: Dumped region at 0x02F70000.\n2026-04-16 23:00:14,549 [root] DEBUG: 7684: YaraScan: Scanning 0x02F70000, size 0x15\n2026-04-16 23:00:15,064 [root] DEBUG: 7684: DLL loaded at 0x72240000: C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\a03dd8871929955c680232682c9464a0\\System.Drawing.ni (0x189000 bytes).\n2026-04-16 23:00:15,721 [root] DEBUG: 7684: DLL loaded at 0x71660000: C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\194e1e92bfae5396086518c2ec0a0f74\\System.Windows.Forms.ni (0xbe0000 bytes).\n2026-04-16 23:00:15,783 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F70000.\n2026-04-16 23:00:15,877 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F70000.\n2026-04-16 23:00:15,908 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F70000.\n2026-04-16 23:00:16,033 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07C60000.\n2026-04-16 23:00:16,080 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x07D90000, size: 0x1000.\n2026-04-16 23:00:16,080 [root] DEBUG: 7684: AddTrackedRegion: GetEntropy failed.\n2026-04-16 23:00:16,189 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07D90000.\n2026-04-16 23:00:16,314 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x07EC0000, size: 0x1000.\n2026-04-16 23:00:16,314 [root] DEBUG: 7684: AddTrackedRegion: GetEntropy failed.\n2026-04-16 23:00:16,424 [root] DEBUG: 7684: DumpPEsInRange: Scanning range 0x07EC0000 - 0x07EC034C.\n2026-04-16 23:00:16,424 [root] DEBUG: 7684: ScanForDisguisedPE: Size too small: 0x34c bytes\n2026-04-16 23:00:16,439 [lib.common.results] INFO: Uploading file C:\\GFDlBJVSH\\CAPE\\7684_67246021602016442026 to CAPE\\263a6494a70b1f92ad33ea287eccd6e216498a709c6a5719167942e06d329d8d; Size is 844; Max size: 100000000\n2026-04-16 23:00:16,439 [root] DEBUG: 7684: DumpMemory: Payload successfully created: C:\\GFDlBJVSH\\CAPE\\7684_67246021602016442026 (size 844 bytes)\n2026-04-16 23:00:16,439 [root] DEBUG: 7684: DumpRegion: Dumped entire allocation from 0x07EC0000, size 4096 bytes.\n2026-04-16 23:00:16,439 [root] DEBUG: 7684: ProcessTrackedRegion: Dumped region at 0x07EC0000.\n2026-04-16 23:00:16,455 [root] DEBUG: 7684: YaraScan: Scanning 0x07EC0000, size 0x34c\n2026-04-16 23:00:16,596 [root] DEBUG: 7684: DLL loaded at 0x747C0000: C:\\Windows\\system32\\mswsock (0x52000 bytes).\n2026-04-16 23:00:16,830 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07D90000.\n2026-04-16 23:00:16,892 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F70000.\n2026-04-16 23:00:16,972 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07D90000.\n2026-04-16 23:00:16,986 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07D90000.\n2026-04-16 23:00:16,986 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07C60000.\n2026-04-16 23:00:17,174 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07D90000.\n2026-04-16 23:00:17,190 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07D90000.\n2026-04-16 23:00:17,205 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07D90000.\n2026-04-16 23:00:17,408 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07C60000.\n2026-04-16 23:00:17,424 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F70000.\n2026-04-16 23:00:17,440 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07C60000.\n2026-04-16 23:00:17,721 [root] DEBUG: 7684: DLL loaded at 0x71120000: C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\bae24e9bcbc01bb2a0ed4fa751347041\\System.Xml.ni (0x53c000 bytes).\n2026-04-16 23:00:17,737 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07D90000.\n2026-04-16 23:00:17,893 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07C60000.\n2026-04-16 23:00:17,939 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x08020000, size: 0x1000.\n2026-04-16 23:00:17,939 [root] DEBUG: 7684: AddTrackedRegion: GetEntropy failed.\n2026-04-16 23:00:17,955 [root] DEBUG: 7684: DumpPEsInRange: Scanning range 0x08020000 - 0x08020339.\n2026-04-16 23:00:17,955 [root] DEBUG: 7684: ScanForDisguisedPE: Size too small: 0x339 bytes\n2026-04-16 23:00:17,955 [lib.common.results] INFO: Uploading file C:\\GFDlBJVSH\\CAPE\\7684_247879801702016442026 to CAPE\\492405dd52974c0a6af2eecee33f3534ca32947fc3f0358a3e283886c9e89acc; Size is 825; Max size: 100000000\n2026-04-16 23:00:17,986 [root] DEBUG: 7684: DumpMemory: Payload successfully created: C:\\GFDlBJVSH\\CAPE\\7684_247879801702016442026 (size 825 bytes)\n2026-04-16 23:00:17,986 [root] DEBUG: 7684: DumpRegion: Dumped entire allocation from 0x08020000, size 4096 bytes.\n2026-04-16 23:00:17,986 [root] DEBUG: 7684: ProcessTrackedRegion: Dumped region at 0x08020000.\n2026-04-16 23:00:18,002 [root] DEBUG: 7684: YaraScan: Scanning 0x08020000, size 0x339\n2026-04-16 23:00:18,127 [root] DEBUG: 7684: DLL loaded at 0x75280000: C:\\Windows\\SYSTEM32\\CRYPTSP (0x13000 bytes).\n2026-04-16 23:00:18,127 [root] DEBUG: 7684: DLL loaded at 0x74C10000: C:\\Windows\\system32\\rsaenh (0x2f000 bytes).\n2026-04-16 23:00:18,143 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07D90000.\n2026-04-16 23:00:18,158 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08020000.\n2026-04-16 23:00:18,174 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02FA0000.\n2026-04-16 23:00:18,299 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08020000.\n2026-04-16 23:00:18,379 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08020000.\n2026-04-16 23:00:18,409 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08020000.\n2026-04-16 23:00:18,439 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08020000.\n2026-04-16 23:00:18,486 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08020000.\n2026-04-16 23:00:18,502 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07D90000.\n2026-04-16 23:00:18,580 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07D90000.\n2026-04-16 23:00:18,596 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08020000.\n2026-04-16 23:00:18,611 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08020000.\n2026-04-16 23:00:18,642 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07D90000.\n2026-04-16 23:00:18,658 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08020000.\n2026-04-16 23:00:18,689 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07EC0000.\n2026-04-16 23:00:18,783 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F70000.\n2026-04-16 23:00:18,799 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07D90000.\n2026-04-16 23:00:18,799 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08020000.\n2026-04-16 23:00:18,814 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08020000.\n2026-04-16 23:00:18,830 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F90000.\n2026-04-16 23:00:18,892 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F60000.\n2026-04-16 23:00:18,924 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07D90000.\n2026-04-16 23:00:18,924 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07EC0000.\n2026-04-16 23:00:18,955 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08020000.\n2026-04-16 23:00:18,986 [root] DEBUG: 7684: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-04-16 23:00:19,064 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07D90000.\n2026-04-16 23:00:19,080 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x081A0000, size: 0x1000.\n2026-04-16 23:00:19,080 [root] DEBUG: 7684: AddTrackedRegion: GetEntropy failed.\n2026-04-16 23:00:19,080 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x081B0000, size: 0x1000.\n2026-04-16 23:00:19,080 [root] DEBUG: 7684: AddTrackedRegion: GetEntropy failed.\n2026-04-16 23:00:19,080 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x081A0000.\n2026-04-16 23:00:19,096 [root] DEBUG: 7684: AllocationHandler: Previously reserved region at 0x05730000, committing at: 0x05731000.\n2026-04-16 23:00:19,096 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x7F550000, size: 0x50000.\n2026-04-16 23:00:19,096 [root] DEBUG: 7684: GetEntropy: Error - Supplied address inaccessible: 0x7F550000\n2026-04-16 23:00:19,096 [root] DEBUG: 7684: AddTrackedRegion: GetEntropy failed.\n2026-04-16 23:00:19,096 [root] DEBUG: 7684: AllocationHandler: Processing previous tracked region at: 0x05730000.\n2026-04-16 23:00:19,096 [root] DEBUG: 7684: ProcessTrackedRegion: Updated entropy for tracked region at 0x05730000: 2.473353e+00 (from 1.297813e+00)\n2026-04-16 23:00:19,096 [root] DEBUG: 7684: DumpPEsInRange: Scanning range 0x05730000 - 0x05731FFE.\n2026-04-16 23:00:19,111 [root] DEBUG: 7684: ScanForDisguisedPE: No PE image located in range 0x05730000-0x05731FFE.\n2026-04-16 23:00:19,111 [lib.common.results] INFO: Uploading file C:\\GFDlBJVSH\\CAPE\\7684_20840251902016442026 to CAPE\\0b9c693217bdc314aa3dbf7363ef6ae8d0c4104a4e3b3ce52602eb1224e7c260; Size is 8190; Max size: 100000000\n2026-04-16 23:00:19,111 [root] DEBUG: 7684: DumpMemory: Payload successfully created: C:\\GFDlBJVSH\\CAPE\\7684_20840251902016442026 (size 8190 bytes)\n2026-04-16 23:00:19,111 [root] DEBUG: 7684: DumpRegion: Dumped entire allocation from 0x05730000, size 8192 bytes.\n2026-04-16 23:00:19,127 [root] DEBUG: 7684: ProcessTrackedRegion: Dumped region at 0x05730000.\n2026-04-16 23:00:19,127 [root] DEBUG: 7684: YaraScan: Scanning 0x05730000, size 0x1ffe\n2026-04-16 23:00:19,127 [root] DEBUG: 7684: AllocationHandler: Memory region (size 0x50000) reserved but not committed at 0x7F550000.\n2026-04-16 23:00:19,127 [root] DEBUG: 7684: AllocationHandler: Previously reserved region at 0x7F550000, committing at: 0x7F550000.\n2026-04-16 23:00:19,127 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x7F550000.\n2026-04-16 23:00:19,127 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x7F540000, size: 0x10000.\n2026-04-16 23:00:19,127 [root] DEBUG: 7684: GetEntropy: Error - Supplied address inaccessible: 0x7F540000\n2026-04-16 23:00:19,142 [root] DEBUG: 7684: AddTrackedRegion: GetEntropy failed.\n2026-04-16 23:00:19,142 [root] DEBUG: 7684: AllocationHandler: Processing previous tracked region at: 0x7F550000.\n2026-04-16 23:00:19,142 [root] DEBUG: 7684: DumpPEsInRange: Scanning range 0x7F550000 - 0x7F55002C.\n2026-04-16 23:00:19,142 [root] DEBUG: 7684: ScanForDisguisedPE: Size too small: 0x2c bytes\n2026-04-16 23:00:19,142 [lib.common.results] INFO: Uploading file C:\\GFDlBJVSH\\CAPE\\7684_17855081902016442026 to CAPE\\064ec728231780bebf305dc752c6dbeca6cb311f53dec5a57657cd7d5a42f2a9; Size is 44; Max size: 100000000\n2026-04-16 23:00:19,158 [root] DEBUG: 7684: DumpMemory: Payload successfully created: C:\\GFDlBJVSH\\CAPE\\7684_17855081902016442026 (size 44 bytes)\n2026-04-16 23:00:19,158 [root] DEBUG: 7684: DumpRegion: Dumped entire allocation from 0x7F550000, size 4096 bytes.\n2026-04-16 23:00:19,158 [root] DEBUG: 7684: ProcessTrackedRegion: Dumped region at 0x7F550000.\n2026-04-16 23:00:19,158 [root] DEBUG: 7684: YaraScan: Scanning 0x7F550000, size 0x2c\n2026-04-16 23:00:19,158 [root] DEBUG: 7684: AllocationHandler: Memory region (size 0x10000) reserved but not committed at 0x7F540000.\n2026-04-16 23:00:19,158 [root] DEBUG: 7684: AllocationHandler: Previously reserved region at 0x7F540000, committing at: 0x7F540000.\n2026-04-16 23:00:19,189 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x081A0000.\n2026-04-16 23:00:19,205 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x08290000, size: 0x1000.\n2026-04-16 23:00:19,205 [root] DEBUG: 7684: AddTrackedRegion: GetEntropy failed.\n2026-04-16 23:00:19,205 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08290000.\n2026-04-16 23:00:19,221 [root] DEBUG: 7684: DumpPEsInRange: Scanning range 0x08290000 - 0x08293BED.\n2026-04-16 23:00:19,221 [root] DEBUG: 7684: ScanForDisguisedPE: No PE image located in range 0x08290000-0x08293BED.\n2026-04-16 23:00:19,221 [lib.common.results] INFO: Uploading file C:\\GFDlBJVSH\\CAPE\\7684_13337351902016442026 to CAPE\\fffd2718e42793784f270c7cf9e47d11004eb3eebfe45efc1e8a52c87ea86373; Size is 15341; Max size: 100000000\n2026-04-16 23:00:19,221 [root] DEBUG: 7684: DumpMemory: Payload successfully created: C:\\GFDlBJVSH\\CAPE\\7684_13337351902016442026 (size 15341 bytes)\n2026-04-16 23:00:19,237 [root] DEBUG: 7684: DumpRegion: Dumped entire allocation from 0x08290000, size 16384 bytes.\n2026-04-16 23:00:19,237 [root] DEBUG: 7684: ProcessTrackedRegion: Dumped region at 0x08290000.\n2026-04-16 23:00:19,237 [root] DEBUG: 7684: YaraScan: Scanning 0x08290000, size 0x3bed\n2026-04-16 23:00:19,424 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x081A0000.\n2026-04-16 23:00:19,424 [root] DEBUG: 7684: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-04-16 23:00:19,424 [root] DEBUG: 7684: DLL loaded at 0x70B00000: C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture (0x8000 bytes).\n2026-04-16 23:00:19,471 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x081A0000.\n2026-04-16 23:00:19,502 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x081A0000.\n2026-04-16 23:00:19,517 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x08531000, size: 0x1000.\n2026-04-16 23:00:19,533 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08290000.\n2026-04-16 23:00:19,549 [root] DEBUG: 7684: CreateProcessHandler: Injection info set for new process 3832: C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\dw20.exe, ImageBase: 0x10000000\n2026-04-16 23:00:19,564 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08290000.\n2026-04-16 23:00:19,564 [root] INFO: Announced 32-bit process name: dw20.exe pid: 3832\n2026-04-16 23:00:19,564 [lib.api.process] INFO: Monitor config for <Process 3832 dw20.exe>: C:\\ltb6yatm\\dll\\3832.ini\n2026-04-16 23:00:19,627 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08290000.\n2026-04-16 23:00:19,658 [root] DEBUG: 7684: DLL loaded at 0x76BA0000: C:\\Windows\\System32\\MSCTF (0xd4000 bytes).\n2026-04-16 23:00:19,924 [root] DEBUG: 7684: DLL loaded at 0x709A0000: C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\\gdiplus (0x167000 bytes).\n2026-04-16 23:00:20,190 [root] DEBUG: 7684: DLL loaded at 0x706F0000: C:\\Windows\\SYSTEM32\\DWrite (0x20c000 bytes).\n2026-04-16 23:00:21,111 [lib.api.process] INFO: 32-bit DLL to inject is C:\\ltb6yatm\\dll\\chskHCV.dll, loader C:\\ltb6yatm\\bin\\SZJMBSm.exe\n2026-04-16 23:00:21,142 [root] DEBUG: Loader: Injecting process 3832 (thread 3296) with C:\\ltb6yatm\\dll\\chskHCV.dll.\n2026-04-16 23:00:21,142 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-04-16 23:00:21,158 [root] DEBUG: Successfully injected DLL C:\\ltb6yatm\\dll\\chskHCV.dll.\n2026-04-16 23:00:21,189 [lib.api.process] INFO: Injected into 32-bit <Process 3832 dw20.exe>\n2026-04-16 23:00:21,268 [root] DEBUG: 7684: ProcessTrackedRegion: Region at 0x77150000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\KernelBase.dll is in known range, skipping\n2026-04-16 23:00:21,346 [root] DEBUG: 3832: Python path set to 'C:\\Python310'.\n2026-04-16 23:00:21,361 [root] DEBUG: 3832: Disabling sleep skipping.\n2026-04-16 23:00:21,361 [root] DEBUG: 3832: Dropped file limit defaulting to 100.\n2026-04-16 23:00:21,377 [root] DEBUG: 3832: YaraInit: Compiled rules loaded from existing file C:\\ltb6yatm\\data\\yara\\capemon.yac\n2026-04-16 23:00:21,377 [root] DEBUG: 3832: YaraScan: Scanning 0x10000000, size 0x8a00\n2026-04-16 23:00:21,392 [root] DEBUG: 3832: Monitor initialised: 32-bit capemon loaded in process 3832 at 0x73ea0000, thread 3296, image base 0x10000000, stack from 0x195000-0x1a0000\n2026-04-16 23:00:21,392 [root] DEBUG: 3832: Commandline: dw20.exe -x -s 1208\n2026-04-16 23:00:21,455 [root] DEBUG: 3832: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress\n2026-04-16 23:00:21,486 [root] WARNING: b'Unable to place hook on GetCommandLineA'\n2026-04-16 23:00:21,502 [root] DEBUG: 3832: set_hooks: Unable to hook GetCommandLineA\n2026-04-16 23:00:21,502 [root] WARNING: b'Unable to place hook on GetCommandLineW'\n2026-04-16 23:00:21,502 [root] DEBUG: 3832: set_hooks: Unable to hook GetCommandLineW\n2026-04-16 23:00:21,517 [root] DEBUG: 3832: Hooked 630 out of 632 functions\n2026-04-16 23:00:21,611 [root] DEBUG: 3832: Syscall hook installed, syscall logging level 1\n2026-04-16 23:00:21,627 [root] DEBUG: 3832: RestoreHeaders: Restored original import table.\n2026-04-16 23:00:21,627 [root] INFO: Loaded monitor into process with pid 3832\n2026-04-16 23:00:21,643 [root] DEBUG: 3832: caller_dispatch: Added region at 0x10000000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x1000512A, thread 3296).\n2026-04-16 23:00:21,643 [root] DEBUG: 3832: YaraScan: Scanning 0x10000000, size 0x8a00\n2026-04-16 23:00:21,658 [root] DEBUG: 3832: ProcessImageBase: Main module image at 0x10000000 unmodified (entropy change 0.000000e+00)\n2026-04-16 23:00:21,752 [root] DEBUG: 3832: DLL loaded at 0x705A0000: C:\\Windows\\system32\\wer (0xae000 bytes).\n2026-04-16 23:00:21,861 [root] DEBUG: 3832: DLL loaded at 0x76D80000: C:\\Windows\\System32\\bcryptPrimitives (0x5f000 bytes).\n2026-04-16 23:00:22,096 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x081B0000.\n2026-04-16 23:00:22,111 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07EC0000.\n2026-04-16 23:00:22,111 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08290000.\n2026-04-16 23:00:22,174 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08290000.\n2026-04-16 23:00:22,190 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x02F80000.\n2026-04-16 23:00:22,190 [root] DEBUG: 3832: DLL loaded at 0x76F70000: C:\\Windows\\System32\\shcore (0x87000 bytes).\n2026-04-16 23:00:22,190 [root] DEBUG: 3832: DLL loaded at 0x704F0000: C:\\Windows\\SYSTEM32\\ntmarta (0x29000 bytes).\n2026-04-16 23:00:22,206 [root] DEBUG: 3832: DLL loaded at 0x75280000: C:\\Windows\\SYSTEM32\\cryptsp (0x13000 bytes).\n2026-04-16 23:00:22,206 [root] DEBUG: 3832: DLL loaded at 0x70520000: C:\\Windows\\SYSTEM32\\aepic (0x78000 bytes).\n2026-04-16 23:00:22,471 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08290000.\n2026-04-16 23:00:22,517 [root] DEBUG: 3832: DLL loaded at 0x66680000: C:\\Windows\\SYSTEM32\\sfc (0x3000 bytes).\n2026-04-16 23:00:22,565 [root] DEBUG: 3832: DLL loaded at 0x704E0000: C:\\Windows\\SYSTEM32\\sfc_os (0xf000 bytes).\n2026-04-16 23:00:22,565 [root] DEBUG: 7684: DLL loaded at 0x70360000: C:\\Windows\\SYSTEM32\\WindowsCodecs (0x171000 bytes).\n2026-04-16 23:00:22,580 [root] DEBUG: 3832: DLL loaded at 0x77480000: C:\\Windows\\System32\\cfgmgr32 (0x3b000 bytes).\n2026-04-16 23:00:22,580 [root] DEBUG: 3832: DLL loaded at 0x76180000: C:\\Windows\\System32\\SETUPAPI (0x439000 bytes).\n2026-04-16 23:00:22,596 [root] DEBUG: 3832: DLL loaded at 0x74C10000: C:\\Windows\\system32\\rsaenh (0x2f000 bytes).\n2026-04-16 23:00:22,658 [root] DEBUG: 3832: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 4696).\n2026-04-16 23:00:22,674 [root] DEBUG: 3832: ProcessTrackedRegion: Region at 0x77150000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\KernelBase.dll is in known range, skipping\n2026-04-16 23:00:22,705 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08290000.\n2026-04-16 23:00:22,752 [root] DEBUG: 3832: DLL loaded at 0x752A0000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x65000 bytes).\n2026-04-16 23:00:22,752 [root] DEBUG: 3832: DLL loaded at 0x702D0000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:22,767 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x05730000.\n2026-04-16 23:00:22,767 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x05730000.\n2026-04-16 23:00:22,767 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x099D0000, size: 0x8000.\n2026-04-16 23:00:22,767 [root] DEBUG: 7684: GetEntropy: Error - Supplied address inaccessible: 0x099D0000\n2026-04-16 23:00:22,767 [root] DEBUG: 7684: AddTrackedRegion: GetEntropy failed.\n2026-04-16 23:00:22,767 [root] DEBUG: 7684: AllocationHandler: Memory region (size 0x8000) reserved but not committed at 0x099D0000.\n2026-04-16 23:00:22,783 [root] DEBUG: 7684: AllocationHandler: Previously reserved region at 0x099D0000, committing at: 0x099D0000.\n2026-04-16 23:00:22,783 [root] DEBUG: 3832: DLL loaded at 0x752A0000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x65000 bytes).\n2026-04-16 23:00:22,799 [root] DEBUG: 3832: DLL loaded at 0x700C0000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:22,799 [root] DEBUG: 7684: DLL loaded at 0x70150000: C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\\comctl32 (0x210000 bytes).\n2026-04-16 23:00:22,799 [root] DEBUG: 3832: DLL loaded at 0x752A0000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x65000 bytes).\n2026-04-16 23:00:22,799 [root] DEBUG: 3832: DLL loaded at 0x700C0000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:22,830 [root] DEBUG: 3832: DLL loaded at 0x752A0000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x65000 bytes).\n2026-04-16 23:00:22,846 [root] DEBUG: 3832: DLL loaded at 0x700C0000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:22,861 [root] DEBUG: 3832: DLL loaded at 0x752A0000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x65000 bytes).\n2026-04-16 23:00:22,861 [root] DEBUG: 3832: DLL loaded at 0x700C0000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:22,861 [root] DEBUG: 3832: DLL loaded at 0x752A0000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x65000 bytes).\n2026-04-16 23:00:22,877 [root] DEBUG: 3832: DLL loaded at 0x700C0000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:22,893 [root] DEBUG: 7684: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-04-16 23:00:22,924 [root] DEBUG: 3832: DLL loaded at 0x752A0000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x65000 bytes).\n2026-04-16 23:00:22,939 [root] DEBUG: 3832: DLL loaded at 0x700C0000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:22,939 [root] DEBUG: 3832: DLL loaded at 0x752A0000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x65000 bytes).\n2026-04-16 23:00:22,955 [root] DEBUG: 3832: DLL loaded at 0x700C0000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:22,955 [root] DEBUG: 3832: DLL loaded at 0x752A0000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x65000 bytes).\n2026-04-16 23:00:22,971 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x081A0000.\n2026-04-16 23:00:22,971 [root] DEBUG: 3832: DLL loaded at 0x700C0000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:22,971 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x081A0000.\n2026-04-16 23:00:22,986 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08290000.\n2026-04-16 23:00:22,986 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07EC0000.\n2026-04-16 23:00:23,049 [root] DEBUG: 3832: api-rate-cap: NtReadVirtualMemory hook disabled due to rate\n2026-04-16 23:00:23,080 [root] DEBUG: 3832: DLL loaded at 0x752A0000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x65000 bytes).\n2026-04-16 23:00:23,080 [root] DEBUG: 3832: DLL loaded at 0x70000000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:23,080 [root] DEBUG: 3832: DLL loaded at 0x752A0000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x65000 bytes).\n2026-04-16 23:00:23,096 [root] DEBUG: 3832: DLL loaded at 0x70000000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:23,096 [root] DEBUG: 3832: DLL loaded at 0x752A0000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x65000 bytes).\n2026-04-16 23:00:23,096 [root] DEBUG: 3832: DLL loaded at 0x70000000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:23,127 [root] INFO: Error dumping file from path \"C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp\": [Errno 13] Permission denied: 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WER2DB3.tmp'\n2026-04-16 23:00:23,127 [root] INFO: Error dumping file from path \"C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp\": [Errno 13] Permission denied: 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WER2DB3.tmp'\n2026-04-16 23:00:23,236 [root] DEBUG: 3832: DLL loaded at 0x756D0000: C:\\Windows\\SYSTEM32\\Wldp (0x27000 bytes).\n2026-04-16 23:00:23,252 [root] DEBUG: 3832: DLL loaded at 0x75700000: C:\\Windows\\SYSTEM32\\windows.storage (0x60d000 bytes).\n2026-04-16 23:00:23,267 [root] DEBUG: 3832: set_hooks_by_export_directory: Hooked 0 out of 632 functions\n2026-04-16 23:00:23,267 [root] DEBUG: 3832: DLL loaded at 0x75250000: C:\\Windows\\SYSTEM32\\kernel.appcore (0xf000 bytes).\n2026-04-16 23:00:24,018 [root] DEBUG: 3832: DLL loaded at 0x6FD80000: C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d\\Comctl32 (0x8d000 bytes).\n2026-04-16 23:00:24,236 [root] INFO: Added new file to list with pid 3832 and path C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml\n2026-04-16 23:00:24,252 [root] DEBUG: 3832: DLL loaded at 0x75470000: C:\\Windows\\SYSTEM32\\NETAPI32 (0x14000 bytes).\n2026-04-16 23:00:24,268 [root] DEBUG: 3832: DLL loaded at 0x752A0000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x65000 bytes).\n2026-04-16 23:00:24,283 [root] DEBUG: 3832: DLL loaded at 0x75310000: C:\\Windows\\SYSTEM32\\DSREG (0x104000 bytes).\n2026-04-16 23:00:24,299 [root] DEBUG: 3832: DLL loaded at 0x75260000: C:\\Windows\\SYSTEM32\\profapi (0x18000 bytes).\n2026-04-16 23:00:24,346 [root] DEBUG: 3832: DLL loaded at 0x6FBD0000: C:\\Windows\\SYSTEM32\\XmlLite (0x2b000 bytes).\n2026-04-16 23:00:24,408 [root] DEBUG: 7684: DLL loaded at 0x704F0000: C:\\Windows\\SYSTEM32\\ntmarta (0x29000 bytes).\n2026-04-16 23:00:24,424 [root] DEBUG: 3832: DLL loaded at 0x77400000: C:\\Windows\\System32\\clbcatq (0x7e000 bytes).\n2026-04-16 23:00:24,424 [root] DEBUG: 7684: DLL loaded at 0x6FCE0000: C:\\Windows\\System32\\CoreMessaging (0x9b000 bytes).\n2026-04-16 23:00:24,424 [root] DEBUG: 7684: DLL loaded at 0x6FC00000: C:\\Windows\\SYSTEM32\\wintypes (0xdb000 bytes).\n2026-04-16 23:00:24,440 [root] DEBUG: 7684: DLL loaded at 0x6FE10000: C:\\Windows\\System32\\CoreUIComponents (0x27e000 bytes).\n2026-04-16 23:00:24,440 [root] DEBUG: 7684: DLL loaded at 0x70090000: C:\\Windows\\SYSTEM32\\textinputframework (0xb9000 bytes).\n2026-04-16 23:00:24,533 [root] DEBUG: 3832: DLL loaded at 0x6FA40000: C:\\Windows\\System32\\twinapi.appcore (0x18f000 bytes).\n2026-04-16 23:00:24,690 [root] DEBUG: 3832: DLL loaded at 0x6FB40000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:24,705 [root] DEBUG: 3832: DLL loaded at 0x6FB40000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:24,721 [root] DEBUG: 3832: DLL loaded at 0x6FB40000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:24,721 [root] DEBUG: 3832: DLL loaded at 0x6FB40000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:24,752 [root] DEBUG: 3832: DLL loaded at 0x6FB40000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:24,768 [root] DEBUG: 3832: DLL loaded at 0x6FB40000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:24,768 [root] DEBUG: 3832: DLL loaded at 0x6FB40000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:24,783 [root] INFO: Error dumping file from path \"C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp\": [Errno 13] Permission denied: 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WER343C.tmp'\n2026-04-16 23:00:24,861 [root] INFO: Error dumping file from path \"C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp\": [Errno 13] Permission denied: 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WER343C.tmp'\n2026-04-16 23:00:24,908 [root] INFO: Added new file to list with pid 3832 and path C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml\n2026-04-16 23:00:24,908 [root] DEBUG: 3832: DLL loaded at 0x6FB40000: C:\\Windows\\SYSTEM32\\policymanager (0x83000 bytes).\n2026-04-16 23:00:24,955 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x0A160000, size: 0x1000.\n2026-04-16 23:00:24,955 [root] DEBUG: 7684: AddTrackedRegion: GetEntropy failed.\n2026-04-16 23:00:25,205 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x07EC0000.\n2026-04-16 23:00:25,346 [root] INFO: Error dumping file from path \"C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml\": [Errno 13] Permission denied: 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WER2DB3.tmp.WERInternalMetadata.xml'\n2026-04-16 23:00:25,361 [root] INFO: Error dumping file from path \"C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2DB3.tmp.WERInternalMetadata.xml\": [Errno 13] Permission denied: 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WER2DB3.tmp.WERInternalMetadata.xml'\n2026-04-16 23:00:25,361 [root] INFO: Error dumping file from path \"C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml\": [Errno 13] Permission denied: 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WER343C.tmp.xml'\n2026-04-16 23:00:25,361 [root] INFO: Error dumping file from path \"C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER343C.tmp.xml\": [Errno 13] Permission denied: 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WER343C.tmp.xml'\n2026-04-16 23:00:25,377 [root] INFO: Error dumping file from path \"C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER3535.tmp.csv\": [Errno 13] Permission denied: 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WER3535.tmp.csv'\n2026-04-16 23:00:25,392 [root] INFO: Error dumping file from path \"C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER3535.tmp.csv\": [Errno 13] Permission denied: 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WER3535.tmp.csv'\n2026-04-16 23:00:25,392 [root] INFO: Error dumping file from path \"C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER35C3.tmp.txt\": [Errno 13] Permission denied: 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WER35C3.tmp.txt'\n2026-04-16 23:00:25,392 [root] INFO: Error dumping file from path \"C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER35C3.tmp.txt\": [Errno 13] Permission denied: 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\WER35C3.tmp.txt'\n2026-04-16 23:00:25,424 [root] DEBUG: 3832: NtTerminateProcess hook: Attempting to dump process 3832\n2026-04-16 23:00:25,486 [root] DEBUG: 3832: VerifyCodeSection: Executable code does not match, 0x0 of 0x5921 matching\n2026-04-16 23:00:25,486 [root] DEBUG: 3832: DoProcessDump: Code modification detected, dumping Imagebase at 0x10000000.\n2026-04-16 23:00:25,486 [root] DEBUG: 3832: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-04-16 23:00:25,486 [root] DEBUG: 3832: DumpProcess: Instantiating PeParser with address: 0x10000000.\n2026-04-16 23:00:25,502 [root] DEBUG: 3832: DumpProcess: Module entry point VA is 0x10004D84.\n2026-04-16 23:00:25,658 [lib.common.results] INFO: Uploading file C:\\GFDlBJVSH\\CAPE\\3832_4854652502016442026 to procdump\\41aadfb791505cfdbc1cc8cec5346e64c46896a6778c737ead64f384b55d504e; Size is 28672; Max size: 100000000\n2026-04-16 23:00:25,674 [root] DEBUG: 3832: DumpProcess: Module image dump success - dump size 0x7000.\n2026-04-16 23:00:25,690 [root] DEBUG: 7684: DLL loaded at 0x6FB10000: C:\\Windows\\SYSTEM32\\TextShaping (0x94000 bytes).\n2026-04-16 23:00:25,705 [root] INFO: Process with pid 3832 has terminated\n2026-04-16 23:00:25,721 [root] INFO: Process lock is locked\n2026-04-16 23:00:25,799 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08530000.\n2026-04-16 23:00:25,799 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08530000.\n2026-04-16 23:00:25,799 [root] DEBUG: 7684: AllocationHandler: Allocation already in tracked region list: 0x08530000.\n2026-04-16 23:00:25,814 [root] DEBUG: 7684: AllocationHandler: Adding allocation to tracked region list: 0x09EE0000, size: 0x8000.\n2026-04-16 23:00:25,814 [root] DEBUG: 7684: GetEntropy: Error - Supplied address inaccessible: 0x09EE0000\n2026-04-16 23:00:25,814 [root] DEBUG: 7684: AddTrackedRegion: GetEntropy failed.\n2026-04-16 23:00:25,814 [root] DEBUG: 7684: AllocationHandler: Memory region (size 0x8000) reserved but not committed at 0x09EE0000.\n2026-04-16 23:00:25,830 [root] DEBUG: 7684: AllocationHandler: Previously reserved region at 0x09EE0000, committing at: 0x09EE0000.\n2026-04-16 23:00:26,596 [root] DEBUG: 7684: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-04-16 23:00:26,893 [root] DEBUG: 7684: DLL loaded at 0x705C0000: C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader (0x8d000 bytes).\n2026-04-16 23:00:27,924 [root] INFO: Process with pid 7684 has terminated\n2026-04-16 23:00:27,939 [root] INFO: Process with pid 7684 has terminated\n2026-04-16 23:00:27,939 [root] DEBUG: 7684: NtTerminateProcess hook: Attempting to dump process 7684\n2026-04-16 23:00:27,955 [root] DEBUG: 7684: NtTerminateProcess hook: Attempting to dump process 7684\n2026-04-16 23:00:27,955 [root] DEBUG: 7684: VerifyCodeSection: Executable code does not match, 0x68 of 0x15b0d3 matching\n2026-04-16 23:00:27,971 [root] DEBUG: 7684: VerifyCodeSection: Executable code does not match, 0x68 of 0x15b0d3 matching\n2026-04-16 23:00:27,971 [root] DEBUG: 7684: DoProcessDump: Code modification detected, dumping Imagebase at 0x00B10000.\n2026-04-16 23:00:27,986 [root] DEBUG: 7684: DoProcessDump: Code modification detected, dumping Imagebase at 0x00B10000.\n2026-04-16 23:00:27,986 [root] DEBUG: 7684: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-04-16 23:00:27,986 [root] DEBUG: 7684: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-04-16 23:00:28,002 [root] DEBUG: 7684: DumpProcess: Instantiating PeParser with address: 0x00B10000.\n2026-04-16 23:00:28,002 [root] DEBUG: 7684: DumpProcess: Instantiating PeParser with address: 0x00B10000.\n2026-04-16 23:00:28,002 [root] DEBUG: 7684: DumpProcess: Module entry point VA is 0x00C6D0CE.\n2026-04-16 23:00:28,017 [root] DEBUG: 7684: DumpProcess: Module entry point VA is 0x00C6D0CE.\n2026-04-16 23:00:28,017 [root] DEBUG: 7684: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x00C6E000, section 2\n2026-04-16 23:00:28,017 [root] DEBUG: 7684: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x00C6E000, section 2\n2026-04-16 23:00:28,017 [root] DEBUG: 7684: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x00C70000, section 3\n2026-04-16 23:00:28,017 [root] DEBUG: 7684: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x00C70000, section 3\n2026-04-16 23:00:28,035 [root] DEBUG: 7684: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x00C76000, section 4\n2026-04-16 23:00:28,080 [root] DEBUG: 7684: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x00C76000, section 4\n2026-04-16 23:00:28,142 [root] DEBUG: Error 32 (0x20) - savePeFileToDisk: There was a problem renaming the file: ￏ￰￮￶￥￱￱ ￭￥ ￬￮￦￥￲ ￯￮￫￳￷￨￲ ￤￮￱￲￳￯ ￪ ￴￠￩￫￳, ￲￠￪ ￪￠￪ �￲￮￲ ￴￠￩￫ ￧￠￭￿￲ ￤￰￳￣￨￬ ￯￰￮￶￥￱￱￮￬.\n2026-04-16 23:00:28,142 [root] DEBUG: 7684: DumpProcess: Failed to dump image at 0x00B10000.\n2026-04-16 23:00:28,158 [root] DEBUG: 7684: DumpProcess: Module image dump success - dump size 0x15b600.\n2026-04-16 23:00:28,205 [root] DEBUG: 7684: DumpImageInCurrentProcess: Failed to dump virtual PE image from 0x00B10000, dumping memory region.\n2026-04-16 23:00:28,252 [root] DEBUG: 7684: DumpPEsInRange: Scanning range 0x09EE0000 - 0x09EE085D.\n2026-04-16 23:00:28,283 [root] DEBUG: 7684: ScanForDisguisedPE: No PE image located in range 0x09EE0000-0x09EE085D.\n2026-04-16 23:00:28,299 [root] DEBUG: 7684: DoProcessDump: Attempting raw dump of Imagebase at 0x00B10000.\n2026-04-16 23:00:28,314 [lib.common.results] INFO: Uploading file C:\\GFDlBJVSH\\CAPE\\7684_55216332802016442026 to CAPE\\05f88a29590f0789f1239f3d205c6799ff3f18dbfcf11b69b7f97ab2ca399056; Size is 2141; Max size: 100000000\n2026-04-16 23:00:28,314 [lib.common.results] INFO: Uploading file C:\\GFDlBJVSH\\CAPE\\7684_57986382802016442026 to CAPE\\cb8b0403fbdc0da56c6e048cecba3ba5f7a294d4afdc2ea5b42584c27a264e82; Size is 536; Max size: 100000000\n2026-04-16 23:00:28,330 [root] DEBUG: 7684: DumpMemory: Payload successfully created: C:\\GFDlBJVSH\\CAPE\\7684_55216332802016442026 (size 2141 bytes)\n2026-04-16 23:00:28,346 [root] DEBUG: 7684: DumpMemory: Payload successfully created: C:\\GFDlBJVSH\\CAPE\\7684_57986382802016442026 (size 536 bytes)\n2026-04-16 23:00:28,346 [root] DEBUG: 7684: DumpRegion: Dumped entire allocation from 0x09EE0000, size 4096 bytes.\n2026-04-16 23:00:28,361 [root] DEBUG: 7684: DumpPEsInRange: Scanning range 0x09EE0000 - 0x09EE085D.\n2026-04-16 23:00:28,377 [root] DEBUG: 7684: ProcessTrackedRegion: Dumped region at 0x09EE0000.\n2026-04-16 23:00:28,377 [root] DEBUG: 7684: ScanForDisguisedPE: No PE image located in range 0x09EE0000-0x09EE085D.\n2026-04-16 23:00:28,392 [root] DEBUG: 7684: YaraScan: Scanning 0x09EE0000, size 0x85d\n2026-04-16 23:00:28,408 [lib.common.results] INFO: Uploading file C:\\GFDlBJVSH\\CAPE\\7684_24829282802016442026 to CAPE\\05f88a29590f0789f1239f3d205c6799ff3f18dbfcf11b69b7f97ab2ca399056; Size is 2141; Max size: 100000000\n2026-04-16 23:00:41,981 [root] INFO: Process list is empty, terminating analysis\n2026-04-16 23:00:43,007 [root] INFO: Created shutdown mutex\n2026-04-16 23:00:44,027 [root] INFO: Shutting down package\n2026-04-16 23:00:44,027 [root] INFO: Stopping auxiliary modules\n2026-04-16 23:00:44,027 [root] INFO: Stopping auxiliary module: Browser\n2026-04-16 23:00:44,035 [root] INFO: Stopping auxiliary module: Human\n2026-04-16 23:00:45,053 [root] INFO: Stopping auxiliary module: Screenshots\n2026-04-16 23:00:45,661 [root] INFO: Finishing auxiliary modules\n2026-04-16 23:00:45,676 [root] INFO: Shutting down pipe server and dumping dropped files\n2026-04-16 23:00:45,676 [root] WARNING: Folder at path \"C:\\GFDlBJVSH\\debugger\" does not exist, skipping\n2026-04-16 23:00:45,676 [root] INFO: Uploading files at path \"C:\\GFDlBJVSH\\tlsdump\"\n2026-04-16 23:00:45,676 [lib.common.results] INFO: Uploading file C:\\GFDlBJVSH\\tlsdump\\tlsdump.log to tlsdump\\tlsdump.log; Size is 15070; Max size: 100000000\n2026-04-16 23:00:45,676 [root] INFO: Analysis completed\n",
    "errors": []
  },
  "network": {
    "pcap_sha256": "9d7c359820b9c978f41a16cacf3be88692ed94d74cea45bff4bcd8608a8b580b",
    "hosts": [
      {
        "ip": "46.149.110.67",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          80
        ]
      },
      {
        "ip": "72.154.7.16",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "72.154.7.108",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "72.154.7.100",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "72.154.7.105",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "72.154.7.102",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "72.154.7.98",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "72.154.7.101",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "72.154.7.107",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "72.154.7.109",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "20.165.94.54",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "13.107.6.156",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "84.47.178.41",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "150.171.27.11",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "173.194.73.94",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "i.pki.goog",
        "inaddrarpa": "",
        "ports": [
          80
        ]
      },
      {
        "ip": "84.47.178.49",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "52.123.242.97",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "40.126.53.14",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "20.42.65.93",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "4.207.247.139",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "84.47.178.56",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      },
      {
        "ip": "20.189.173.2",
        "country_name": "unknown",
        "asn": "",
        "asn_name": "",
        "hostname": "",
        "inaddrarpa": "",
        "ports": [
          443
        ]
      }
    ],
    "domains": [
      {
        "domain": "i.pki.goog",
        "ip": "74.125.205.94"
      },
      {
        "domain": "dns.google",
        "ip": "8.8.4.4"
      }
    ],
    "tcp": [
      {
        "src": "192.168.1.100",
        "sport": 49723,
        "dst": "20.189.173.2",
        "dport": 443,
        "offset": 24,
        "time": 0.0
      },
      {
        "src": "192.168.1.100",
        "sport": 49724,
        "dst": "20.189.173.2",
        "dport": 443,
        "offset": 95,
        "time": 0.9217710494995117
      },
      {
        "src": "192.168.1.100",
        "sport": 49718,
        "dst": "84.47.178.56",
        "dport": 443,
        "offset": 166,
        "time": 4.827660083770752
      },
      {
        "src": "192.168.1.100",
        "sport": 49806,
        "dst": "4.207.247.139",
        "dport": 443,
        "offset": 682,
        "time": 5.247985124588013
      },
      {
        "src": "192.168.1.100",
        "sport": 49784,
        "dst": "40.126.53.14",
        "dport": 443,
        "offset": 8085,
        "time": 5.594206094741821
      },
      {
        "src": "192.168.1.100",
        "sport": 49810,
        "dst": "52.123.128.14",
        "dport": 443,
        "offset": 26100,
        "time": 5.929608106613159
      },
      {
        "src": "192.168.1.100",
        "sport": 49812,
        "dst": "84.47.178.49",
        "dport": 443,
        "offset": 50672,
        "time": 6.107034206390381
      },
      {
        "src": "192.168.1.100",
        "sport": 49814,
        "dst": "199.232.210.172",
        "dport": 80,
        "offset": 74325,
        "time": 6.527139186859131
      },
      {
        "src": "192.168.1.100",
        "sport": 49816,
        "dst": "84.47.178.49",
        "dport": 443,
        "offset": 189098,
        "time": 6.733813047409058
      },
      {
        "src": "192.168.1.100",
        "sport": 49817,
        "dst": "40.126.53.14",
        "dport": 443,
        "offset": 202810,
        "time": 6.884261131286621
      },
      {
        "src": "192.168.1.100",
        "sport": 49818,
        "dst": "13.71.55.58",
        "dport": 443,
        "offset": 220554,
        "time": 7.035048007965088
      },
      {
        "src": "192.168.1.100",
        "sport": 49821,
        "dst": "23.11.40.157",
        "dport": 80,
        "offset": 341187,
        "time": 7.070427179336548
      },
      {
        "src": "192.168.1.100",
        "sport": 49823,
        "dst": "173.194.73.94",
        "dport": 80,
        "offset": 364679,
        "time": 7.129509210586548
      },
      {
        "src": "192.168.1.100",
        "sport": 49825,
        "dst": "128.75.237.138",
        "dport": 80,
        "offset": 415695,
        "time": 7.392553091049194
      },
      {
        "src": "192.168.1.100",
        "sport": 49728,
        "dst": "150.171.27.11",
        "dport": 443,
        "offset": 417305,
        "time": 7.402208089828491
      },
      {
        "src": "192.168.1.100",
        "sport": 49826,
        "dst": "150.171.27.11",
        "dport": 443,
        "offset": 419692,
        "time": 7.445966005325317
      },
      {
        "src": "192.168.1.100",
        "sport": 49828,
        "dst": "13.71.55.58",
        "dport": 443,
        "offset": 457529,
        "time": 8.150074005126953
      },
      {
        "src": "192.168.1.100",
        "sport": 49829,
        "dst": "20.42.65.93",
        "dport": 443,
        "offset": 483355,
        "time": 9.965489149093628
      },
      {
        "src": "192.168.1.100",
        "sport": 49831,
        "dst": "4.207.247.139",
        "dport": 443,
        "offset": 495887,
        "time": 23.947869062423706
      },
      {
        "src": "192.168.1.100",
        "sport": 49710,
        "dst": "84.47.178.41",
        "dport": 443,
        "offset": 504096,
        "time": 39.715540170669556
      },
      {
        "src": "192.168.1.100",
        "sport": 49716,
        "dst": "84.47.178.56",
        "dport": 443,
        "offset": 504237,
        "time": 39.79370403289795
      },
      {
        "src": "192.168.1.100",
        "sport": 49720,
        "dst": "8.8.4.4",
        "dport": 443,
        "offset": 504519,
        "time": 40.98114514350891
      },
      {
        "src": "192.168.1.100",
        "sport": 49708,
        "dst": "13.107.6.156",
        "dport": 443,
        "offset": 504660,
        "time": 41.01231122016907
      },
      {
        "src": "192.168.1.100",
        "sport": 49712,
        "dst": "84.47.178.41",
        "dport": 443,
        "offset": 504801,
        "time": 42.19977807998657
      },
      {
        "src": "23.46.118.69",
        "sport": 443,
        "dst": "192.168.1.100",
        "dport": 49875,
        "offset": 505253,
        "time": 44.38708519935608
      },
      {
        "src": "192.168.1.100",
        "sport": 49833,
        "dst": "20.190.147.7",
        "dport": 443,
        "offset": 515711,
        "time": 48.31332516670227
      },
      {
        "src": "192.168.1.100",
        "sport": 49836,
        "dst": "52.167.249.196",
        "dport": 443,
        "offset": 552390,
        "time": 48.53574204444885
      },
      {
        "src": "192.168.1.100",
        "sport": 49839,
        "dst": "150.171.109.51",
        "dport": 443,
        "offset": 596317,
        "time": 49.07227921485901
      },
      {
        "src": "192.168.1.100",
        "sport": 49840,
        "dst": "52.167.249.196",
        "dport": 443,
        "offset": 740464,
        "time": 49.33619809150696
      },
      {
        "src": "192.168.1.100",
        "sport": 49843,
        "dst": "20.165.94.63",
        "dport": 443,
        "offset": 1115495,
        "time": 50.02232909202576
      },
      {
        "src": "192.168.1.100",
        "sport": 49845,
        "dst": "20.106.86.13",
        "dport": 443,
        "offset": 1120762,
        "time": 50.28623414039612
      },
      {
        "src": "192.168.1.100",
        "sport": 49847,
        "dst": "20.165.94.54",
        "dport": 443,
        "offset": 1344996,
        "time": 50.77600812911987
      },
      {
        "src": "192.168.1.100",
        "sport": 49850,
        "dst": "20.106.86.13",
        "dport": 443,
        "offset": 1464611,
        "time": 51.492913007736206
      },
      {
        "src": "192.168.1.100",
        "sport": 49852,
        "dst": "20.165.94.63",
        "dport": 443,
        "offset": 1473711,
        "time": 51.64586901664734
      },
      {
        "src": "192.168.1.100",
        "sport": 49854,
        "dst": "20.165.94.63",
        "dport": 443,
        "offset": 1548703,
        "time": 52.391579151153564
      },
      {
        "src": "192.168.1.100",
        "sport": 49856,
        "dst": "20.106.86.13",
        "dport": 443,
        "offset": 1584075,
        "time": 53.1021511554718
      },
      {
        "src": "192.168.1.100",
        "sport": 49858,
        "dst": "8.8.8.8",
        "dport": 443,
        "offset": 1590238,
        "time": 53.18667721748352
      },
      {
        "src": "192.168.1.100",
        "sport": 49861,
        "dst": "20.106.86.13",
        "dport": 443,
        "offset": 1636970,
        "time": 54.03184509277344
      },
      {
        "src": "192.168.1.100",
        "sport": 49863,
        "dst": "20.190.147.7",
        "dport": 443,
        "offset": 1646600,
        "time": 54.37438416481018
      },
      {
        "src": "192.168.1.100",
        "sport": 49866,
        "dst": "135.236.137.174",
        "dport": 443,
        "offset": 1702648,
        "time": 55.179028034210205
      },
      {
        "src": "192.168.1.100",
        "sport": 49867,
        "dst": "4.207.247.139",
        "dport": 443,
        "offset": 1718287,
        "time": 55.459365129470825
      },
      {
        "src": "192.168.1.100",
        "sport": 49870,
        "dst": "40.119.249.228",
        "dport": 443,
        "offset": 1738093,
        "time": 57.73198103904724
      },
      {
        "src": "192.168.1.100",
        "sport": 49877,
        "dst": "13.71.55.58",
        "dport": 443,
        "offset": 2707581,
        "time": 62.1398491859436
      },
      {
        "src": "192.168.1.100",
        "sport": 49881,
        "dst": "13.71.55.58",
        "dport": 443,
        "offset": 2743116,
        "time": 63.57081913948059
      },
      {
        "src": "192.168.1.100",
        "sport": 49883,
        "dst": "23.11.40.157",
        "dport": 80,
        "offset": 2755507,
        "time": 64.21059703826904
      },
      {
        "src": "192.168.1.100",
        "sport": 49886,
        "dst": "2.23.88.9",
        "dport": 443,
        "offset": 2795239,
        "time": 66.02916717529297
      },
      {
        "src": "192.168.1.100",
        "sport": 49891,
        "dst": "194.158.198.23",
        "dport": 80,
        "offset": 3517807,
        "time": 69.6070351600647
      },
      {
        "src": "192.168.1.100",
        "sport": 49893,
        "dst": "4.207.247.139",
        "dport": 443,
        "offset": 3525715,
        "time": 71.47440719604492
      },
      {
        "src": "4.207.247.139",
        "sport": 443,
        "dst": "192.168.1.100",
        "dport": 49888,
        "offset": 3536055,
        "time": 71.70379304885864
      },
      {
        "src": "192.168.1.100",
        "sport": 49914,
        "dst": "20.72.205.209",
        "dport": 443,
        "offset": 3579500,
        "time": 92.16584706306458
      },
      {
        "src": "192.168.1.100",
        "sport": 49919,
        "dst": "52.182.143.215",
        "dport": 443,
        "offset": 3877003,
        "time": 94.09323120117188
      },
      {
        "src": "192.168.1.100",
        "sport": 49927,
        "dst": "20.72.205.209",
        "dport": 443,
        "offset": 3891890,
        "time": 95.43838119506836
      },
      {
        "src": "192.168.1.100",
        "sport": 49929,
        "dst": "128.75.237.184",
        "dport": 443,
        "offset": 3905890,
        "time": 95.73864316940308
      },
      {
        "src": "192.168.1.100",
        "sport": 49934,
        "dst": "52.137.106.217",
        "dport": 443,
        "offset": 4045570,
        "time": 97.59215521812439
      },
      {
        "src": "192.168.1.100",
        "sport": 49936,
        "dst": "46.149.110.67",
        "dport": 80,
        "offset": 4063933,
        "time": 98.27095317840576
      },
      {
        "src": "192.168.1.100",
        "sport": 49937,
        "dst": "46.149.110.67",
        "dport": 80,
        "offset": 4070702,
        "time": 98.44255709648132
      },
      {
        "src": "192.168.1.100",
        "sport": 49939,
        "dst": "52.137.106.217",
        "dport": 443,
        "offset": 4083833,
        "time": 98.81547808647156
      },
      {
        "src": "192.168.1.100",
        "sport": 49941,
        "dst": "46.149.110.67",
        "dport": 80,
        "offset": 4103164,
        "time": 98.84687399864197
      },
      {
        "src": "192.168.1.100",
        "sport": 49943,
        "dst": "52.137.106.217",
        "dport": 443,
        "offset": 5928480,
        "time": 99.71292304992676
      },
      {
        "src": "192.168.1.100",
        "sport": 49945,
        "dst": "72.154.7.107",
        "dport": 443,
        "offset": 5929502,
        "time": 99.76901912689209
      },
      {
        "src": "192.168.1.100",
        "sport": 49947,
        "dst": "72.154.7.106",
        "dport": 443,
        "offset": 5930390,
        "time": 99.79423117637634
      },
      {
        "src": "192.168.1.100",
        "sport": 49950,
        "dst": "2.23.90.38",
        "dport": 443,
        "offset": 5959306,
        "time": 100.64679503440857
      },
      {
        "src": "192.168.1.100",
        "sport": 49952,
        "dst": "2.23.90.38",
        "dport": 443,
        "offset": 5984372,
        "time": 100.93833613395691
      },
      {
        "src": "192.168.1.100",
        "sport": 49957,
        "dst": "52.123.245.105",
        "dport": 443,
        "offset": 5999382,
        "time": 103.79599714279175
      }
    ],
    "udp": [
      {
        "src": "192.168.1.100",
        "sport": 57569,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 64339,
        "time": 6.1828742027282715
      },
      {
        "src": "192.168.1.100",
        "sport": 54030,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 75444,
        "time": 6.679230213165283
      },
      {
        "src": "192.168.1.100",
        "sport": 62170,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 207988,
        "time": 6.943793058395386
      },
      {
        "src": "192.168.1.100",
        "sport": 57490,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 341015,
        "time": 7.066672086715698
      },
      {
        "src": "192.168.1.100",
        "sport": 55977,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 414077,
        "time": 7.3603432178497314
      },
      {
        "src": "192.168.1.100",
        "sport": 138,
        "dst": "192.168.1.255",
        "dport": 138,
        "offset": 503627,
        "time": 31.664695024490356
      },
      {
        "src": "192.168.1.100",
        "sport": 56599,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 515013,
        "time": 48.292734146118164
      },
      {
        "src": "192.168.1.100",
        "sport": 63893,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 591436,
        "time": 48.84860801696777
      },
      {
        "src": "192.168.1.100",
        "sport": 55269,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 604940,
        "time": 49.18631601333618
      },
      {
        "src": "192.168.1.100",
        "sport": 54352,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 1107026,
        "time": 49.83819007873535
      },
      {
        "src": "192.168.1.100",
        "sport": 57186,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 1130728,
        "time": 50.59154510498047
      },
      {
        "src": "192.168.1.100",
        "sport": 58635,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 1586479,
        "time": 53.14351201057434
      },
      {
        "src": "192.168.1.100",
        "sport": 55471,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 1610936,
        "time": 53.32051110267639
      },
      {
        "src": "192.168.1.100",
        "sport": 64504,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 1737520,
        "time": 57.59456515312195
      },
      {
        "src": "192.168.1.100",
        "sport": 49642,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 2706998,
        "time": 61.94291615486145
      },
      {
        "src": "192.168.1.100",
        "sport": 50944,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 2757820,
        "time": 64.53733921051025
      },
      {
        "src": "192.168.1.100",
        "sport": 63982,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 3517226,
        "time": 69.53520512580872
      },
      {
        "src": "192.168.1.100",
        "sport": 65094,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 3578851,
        "time": 91.95230007171631
      },
      {
        "src": "192.168.1.100",
        "sport": 62745,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 3884761,
        "time": 94.51892900466919
      },
      {
        "src": "192.168.1.100",
        "sport": 63095,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 3904332,
        "time": 95.70598816871643
      },
      {
        "src": "192.168.1.100",
        "sport": 61798,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 4043625,
        "time": 96.84034419059753
      },
      {
        "src": "192.168.1.100",
        "sport": 61947,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 4065569,
        "time": 98.32765507698059
      },
      {
        "src": "192.168.1.100",
        "sport": 62433,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 5927107,
        "time": 99.5616512298584
      },
      {
        "src": "192.168.1.100",
        "sport": 53154,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 5951217,
        "time": 100.22248816490173
      },
      {
        "src": "192.168.1.100",
        "sport": 59204,
        "dst": "8.8.8.8",
        "dport": 53,
        "offset": 5998640,
        "time": 103.72372817993164
      }
    ],
    "icmp": [],
    "http": [
      {
        "count": 2,
        "host": "i.pki.goog",
        "port": 80,
        "data": "GET /gsr1.crt HTTP/1.1\r\nHost: i.pki.goog\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n\r\n",
        "uri": "http://i.pki.goog/gsr1.crt",
        "body": "",
        "path": "/gsr1.crt",
        "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
        "version": "1.1",
        "method": "GET",
        "first_seen": 1776380337.99726
      },
      {
        "count": 2,
        "host": "i.pki.goog",
        "port": 80,
        "data": "GET /r4.crt HTTP/1.1\r\nHost: i.pki.goog\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n\r\n",
        "uri": "http://i.pki.goog/r4.crt",
        "body": "",
        "path": "/r4.crt",
        "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
        "version": "1.1",
        "method": "GET",
        "first_seen": 1776380338.019956
      },
      {
        "count": 2,
        "host": "i.pki.goog",
        "port": 80,
        "data": "GET /we2.crt HTTP/1.1\r\nHost: i.pki.goog\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n\r\n",
        "uri": "http://i.pki.goog/we2.crt",
        "body": "",
        "path": "/we2.crt",
        "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
        "version": "1.1",
        "method": "GET",
        "first_seen": 1776380338.041662
      },
      {
        "count": 2,
        "host": "i.pki.goog",
        "port": 80,
        "data": "GET /gsr4.crt HTTP/1.1\r\nHost: i.pki.goog\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n\r\n",
        "uri": "http://i.pki.goog/gsr4.crt",
        "body": "",
        "path": "/gsr4.crt",
        "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
        "version": "1.1",
        "method": "GET",
        "first_seen": 1776380338.065703
      },
      {
        "count": 1,
        "host": "46.149.110.67",
        "port": 80,
        "data": "GET /filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: noiX4UMUPU+bKCaLDXCu3w.0.2.3.1.1\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n",
        "uri": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com",
        "body": "",
        "path": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com",
        "user-agent": "Microsoft-Delivery-Optimization/10.0",
        "version": "1.1",
        "method": "GET",
        "first_seen": 1776380429.138704
      },
      {
        "count": 1,
        "host": "46.149.110.67",
        "port": 80,
        "data": "GET /filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776985227&P2=404&P3=2&P4=UxgJUowjr4phFiUS5t89jUhtvfAuYf6yxZub69HKqd%2f3h4jqkO0Q65wK2fDni1fAsXfD6h%2fPAaRN0I%2beJzwojQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=0-1\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: noiX4UMUPU+bKCaLDXCu3w.0.2.6.1.1.1\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n",
        "uri": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776985227&P2=404&P3=2&P4=UxgJUowjr4phFiUS5t89jUhtvfAuYf6yxZub69HKqd%2f3h4jqkO0Q65wK2fDni1fAsXfD6h%2fPAaRN0I%2beJzwojQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
        "body": "",
        "path": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776985227&P2=404&P3=2&P4=UxgJUowjr4phFiUS5t89jUhtvfAuYf6yxZub69HKqd%2f3h4jqkO0Q65wK2fDni1fAsXfD6h%2fPAaRN0I%2beJzwojQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
        "user-agent": "Microsoft-Delivery-Optimization/10.0",
        "version": "1.1",
        "method": "GET",
        "first_seen": 1776380429.310308
      },
      {
        "count": 1,
        "host": "46.149.110.67",
        "port": 80,
        "data": "GET /filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776985227&P2=404&P3=2&P4=UxgJUowjr4phFiUS5t89jUhtvfAuYf6yxZub69HKqd%2f3h4jqkO0Q65wK2fDni1fAsXfD6h%2fPAaRN0I%2beJzwojQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=1048576-1697335\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: noiX4UMUPU+bKCaLDXCu3w.0.2.6.1.1.2\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n",
        "uri": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776985227&P2=404&P3=2&P4=UxgJUowjr4phFiUS5t89jUhtvfAuYf6yxZub69HKqd%2f3h4jqkO0Q65wK2fDni1fAsXfD6h%2fPAaRN0I%2beJzwojQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
        "body": "",
        "path": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776985227&P2=404&P3=2&P4=UxgJUowjr4phFiUS5t89jUhtvfAuYf6yxZub69HKqd%2f3h4jqkO0Q65wK2fDni1fAsXfD6h%2fPAaRN0I%2beJzwojQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
        "user-agent": "Microsoft-Delivery-Optimization/10.0",
        "version": "1.1",
        "method": "GET",
        "first_seen": 1776380429.661245
      },
      {
        "count": 1,
        "host": "46.149.110.67",
        "port": 80,
        "data": "GET /filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776985227&P2=404&P3=2&P4=UxgJUowjr4phFiUS5t89jUhtvfAuYf6yxZub69HKqd%2f3h4jqkO0Q65wK2fDni1fAsXfD6h%2fPAaRN0I%2beJzwojQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=0-1048575\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: noiX4UMUPU+bKCaLDXCu3w.0.2.6.1.1.3\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n",
        "uri": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776985227&P2=404&P3=2&P4=UxgJUowjr4phFiUS5t89jUhtvfAuYf6yxZub69HKqd%2f3h4jqkO0Q65wK2fDni1fAsXfD6h%2fPAaRN0I%2beJzwojQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
        "body": "",
        "path": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776985227&P2=404&P3=2&P4=UxgJUowjr4phFiUS5t89jUhtvfAuYf6yxZub69HKqd%2f3h4jqkO0Q65wK2fDni1fAsXfD6h%2fPAaRN0I%2beJzwojQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
        "user-agent": "Microsoft-Delivery-Optimization/10.0",
        "version": "1.1",
        "method": "GET",
        "first_seen": 1776380429.714625
      }
    ],
    "dns": [
      {
        "request": "i.pki.goog",
        "type": "A",
        "answers": [
          {
            "type": "A",
            "data": "173.194.73.94"
          },
          {
            "type": "CNAME",
            "data": "pki-goog.l.google.com"
          }
        ],
        "first_seen": 1776380337.93469
      },
      {
        "request": "dns.google",
        "type": "A",
        "answers": [
          {
            "type": "A",
            "data": "8.8.8.8"
          },
          {
            "type": "A",
            "data": "8.8.4.4"
          }
        ],
        "first_seen": 1776380384.011519
      }
    ],
    "smtp": [],
    "irc": [],
    "dead_hosts": [
      [
        "52.123.242.97",
        443
      ],
      [
        "72.154.7.109",
        443
      ],
      [
        "72.154.7.98",
        443
      ],
      [
        "72.154.7.101",
        443
      ],
      [
        "72.154.7.102",
        443
      ],
      [
        "72.154.7.105",
        443
      ],
      [
        "72.154.7.100",
        443
      ],
      [
        "72.154.7.108",
        443
      ],
      [
        "72.154.7.16",
        443
      ]
    ]
  },
  "suricata": {
    "alerts": [],
    "tls": [
      {
        "srcport": 49822,
        "srcip": "192.168.1.100",
        "dstport": 443,
        "dstip": "8.8.8.8",
        "timestamp": "2026-04-16 22:58:57.999354+0000",
        "version": "TLS 1.3",
        "sni": "dns.google",
        "ja3": {
          "hash": "87c36e0efdb847c153954b9f4778e764",
          "string": "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,45-13-43-51-23-0-65037-65281-5-27-10-11-35-18-16-17613,4588-29-23-24,0"
        },
        "ja3s": {
          "hash": "eb1d94daa7e0344597e756a1fb6e7054",
          "string": "771,4865,51-43"
        }
      },
      {
        "srcport": 49824,
        "srcip": "192.168.1.100",
        "dstport": 443,
        "dstip": "8.8.8.8",
        "timestamp": "2026-04-16 22:58:58.226378+0000",
        "version": "TLS 1.3",
        "sni": "dns.google",
        "ja3": {
          "hash": "eca10cbdddc3be37612b1d322437c105",
          "string": "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,51-23-5-45-27-65281-0-35-16-65037-43-10-17613-13-18-11,4588-29-23-24,0"
        },
        "ja3s": {
          "hash": "eb1d94daa7e0344597e756a1fb6e7054",
          "string": "771,4865,51-43"
        }
      },
      {
        "srcport": 49858,
        "srcip": "192.168.1.100",
        "dstport": 443,
        "dstip": "8.8.8.8",
        "timestamp": "2026-04-16 22:59:44.076052+0000",
        "version": "TLS 1.3",
        "sni": "dns.google",
        "ja3": {
          "hash": "00cf290bd02b8f31a70af6a46e70e981",
          "string": "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,18-10-16-17613-11-65037-13-0-51-5-27-43-45-23-35-65281,4588-29-23-24,0"
        },
        "ja3s": {
          "hash": "eb1d94daa7e0344597e756a1fb6e7054",
          "string": "771,4865,51-43"
        }
      }
    ],
    "perf": [],
    "files": [],
    "http": [
      {
        "srcport": 49823,
        "srcip": "192.168.1.100",
        "dstport": 80,
        "dstip": "173.194.73.94",
        "timestamp": "2026-04-16 22:58:58.016492+0000",
        "uri": "/gsr1.crt",
        "length": 797,
        "hostname": "i.pki.goog",
        "status": 200,
        "http_method": "GET",
        "contenttype": "application/pkix-cert",
        "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
        "referrer": null
      },
      {
        "srcport": 49823,
        "srcip": "192.168.1.100",
        "dstport": 80,
        "dstip": "173.194.73.94",
        "timestamp": "2026-04-16 22:58:58.041662+0000",
        "uri": "/r4.crt",
        "length": 455,
        "hostname": "i.pki.goog",
        "status": 200,
        "http_method": "GET",
        "contenttype": "application/pkix-cert",
        "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
        "referrer": null
      },
      {
        "srcport": 49823,
        "srcip": "192.168.1.100",
        "dstport": 80,
        "dstip": "173.194.73.94",
        "timestamp": "2026-04-16 22:58:58.065703+0000",
        "uri": "/we2.crt",
        "length": 582,
        "hostname": "i.pki.goog",
        "status": 200,
        "http_method": "GET",
        "contenttype": "application/pkix-cert",
        "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
        "referrer": null
      },
      {
        "srcport": 49823,
        "srcip": "192.168.1.100",
        "dstport": 80,
        "dstip": "173.194.73.94",
        "timestamp": "2026-04-16 22:58:58.093520+0000",
        "uri": "/gsr4.crt",
        "length": 480,
        "hostname": "i.pki.goog",
        "status": 200,
        "http_method": "GET",
        "contenttype": "application/pkix-cert",
        "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
        "referrer": null
      },
      {
        "srcport": 49823,
        "srcip": "192.168.1.100",
        "dstport": 80,
        "dstip": "173.194.73.94",
        "timestamp": "2026-04-16 22:58:58.112501+0000",
        "uri": "/gsr1.crt",
        "length": 797,
        "hostname": "i.pki.goog",
        "status": 200,
        "http_method": "GET",
        "contenttype": "application/pkix-cert",
        "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
        "referrer": null
      },
      {
        "srcport": 49823,
        "srcip": "192.168.1.100",
        "dstport": 80,
        "dstip": "173.194.73.94",
        "timestamp": "2026-04-16 22:58:58.135670+0000",
        "uri": "/r4.crt",
        "length": 455,
        "hostname": "i.pki.goog",
        "status": 200,
        "http_method": "GET",
        "contenttype": "application/pkix-cert",
        "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
        "referrer": null
      },
      {
        "srcport": 49823,
        "srcip": "192.168.1.100",
        "dstport": 80,
        "dstip": "173.194.73.94",
        "timestamp": "2026-04-16 22:58:58.159710+0000",
        "uri": "/we2.crt",
        "length": 582,
        "hostname": "i.pki.goog",
        "status": 200,
        "http_method": "GET",
        "contenttype": "application/pkix-cert",
        "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
        "referrer": null
      },
      {
        "srcport": 49823,
        "srcip": "192.168.1.100",
        "dstport": 80,
        "dstip": "173.194.73.94",
        "timestamp": "2026-04-16 22:58:58.226331+0000",
        "uri": "/gsr4.crt",
        "length": 480,
        "hostname": "i.pki.goog",
        "status": 200,
        "http_method": "GET",
        "contenttype": "application/pkix-cert",
        "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0",
        "referrer": null
      },
      {
        "srcport": 49936,
        "srcip": "192.168.1.100",
        "dstport": 80,
        "dstip": "46.149.110.67",
        "timestamp": "2026-04-16 23:00:29.219148+0000",
        "uri": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com",
        "length": 246,
        "hostname": "46.149.110.67",
        "status": 200,
        "http_method": "GET",
        "contenttype": "application/octet-stream",
        "ua": "Microsoft-Delivery-Optimization/10.0",
        "referrer": null
      },
      {
        "srcport": 49937,
        "srcip": "192.168.1.100",
        "dstport": 80,
        "dstip": "46.149.110.67",
        "timestamp": "2026-04-16 23:00:29.391239+0000",
        "uri": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776985227&P2=404&P3=2&P4=UxgJUowjr4phFiUS5t89jUhtvfAuYf6yxZub69HKqd%2f3h4jqkO0Q65wK2fDni1fAsXfD6h%2fPAaRN0I%2beJzwojQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
        "length": 2,
        "hostname": "46.149.110.67",
        "status": 206,
        "http_method": "GET",
        "contenttype": "application/octet-stream",
        "ua": "Microsoft-Delivery-Optimization/10.0",
        "referrer": null
      },
      {
        "srcport": 49937,
        "srcip": "192.168.1.100",
        "dstport": 80,
        "dstip": "46.149.110.67",
        "timestamp": "2026-04-16 23:00:30.187861+0000",
        "uri": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776985227&P2=404&P3=2&P4=UxgJUowjr4phFiUS5t89jUhtvfAuYf6yxZub69HKqd%2f3h4jqkO0Q65wK2fDni1fAsXfD6h%2fPAaRN0I%2beJzwojQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
        "length": 648760,
        "hostname": "46.149.110.67",
        "status": 206,
        "http_method": "GET",
        "contenttype": "application/octet-stream",
        "ua": "Microsoft-Delivery-Optimization/10.0",
        "referrer": null
      },
      {
        "srcport": 49941,
        "srcip": "192.168.1.100",
        "dstport": 80,
        "dstip": "46.149.110.67",
        "timestamp": "2026-04-16 23:00:30.422043+0000",
        "uri": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776985227&P2=404&P3=2&P4=UxgJUowjr4phFiUS5t89jUhtvfAuYf6yxZub69HKqd%2f3h4jqkO0Q65wK2fDni1fAsXfD6h%2fPAaRN0I%2beJzwojQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
        "length": 1048576,
        "hostname": "46.149.110.67",
        "status": 206,
        "http_method": "GET",
        "contenttype": "application/octet-stream",
        "ua": "Microsoft-Delivery-Optimization/10.0",
        "referrer": null
      }
    ],
    "dns": [
      {
        "timestamp": "2026-04-16T22:58:57.934423+0000",
        "flow_id": 354145425798204,
        "pcap_cnt": 463,
        "event_type": "dns",
        "src_ip": "192.168.1.100",
        "src_port": 57490,
        "dest_ip": "8.8.8.8",
        "dest_port": 53,
        "proto": "UDP",
        "pkt_src": "wire/pcap",
        "dns": {
          "version": 2,
          "type": "query",
          "id": 30694,
          "rrname": "i.pki.goog",
          "rrtype": "HTTPS",
          "tx_id": 0,
          "opcode": 0
        }
      },
      {
        "timestamp": "2026-04-16T22:58:57.934690+0000",
        "flow_id": 355289657069283,
        "pcap_cnt": 464,
        "event_type": "dns",
        "src_ip": "192.168.1.100",
        "src_port": 53882,
        "dest_ip": "8.8.8.8",
        "dest_port": 53,
        "proto": "UDP",
        "pkt_src": "wire/pcap",
        "dns": {
          "version": 2,
          "type": "query",
          "id": 51226,
          "rrname": "i.pki.goog",
          "rrtype": "A",
          "tx_id": 0,
          "opcode": 0
        }
      },
      {
        "timestamp": "2026-04-16T22:58:57.953587+0000",
        "flow_id": 354145425798204,
        "pcap_cnt": 472,
        "event_type": "dns",
        "src_ip": "192.168.1.100",
        "src_port": 57490,
        "dest_ip": "8.8.8.8",
        "dest_port": 53,
        "proto": "UDP",
        "pkt_src": "wire/pcap",
        "dns": {
          "version": 2,
          "type": "answer",
          "id": 30694,
          "flags": "8180",
          "qr": true,
          "rd": true,
          "ra": true,
          "opcode": 0,
          "rrname": "i.pki.goog",
          "rrtype": "HTTPS",
          "rcode": "NOERROR",
          "answers": [
            {
              "rrname": "i.pki.goog",
              "rrtype": "CNAME",
              "ttl": 223,
              "rdata": "pki-goog.l.google.com"
            }
          ],
          "grouped": {
            "CNAME": [
              "pki-goog.l.google.com"
            ]
          },
          "authorities": [
            {
              "rrname": "l.google.com",
              "rrtype": "SOA",
              "ttl": 60,
              "soa": {
                "mname": "ns1.google.com",
                "rname": "dns-admin.google.com",
                "serial": 900627266,
                "refresh": 900,
                "retry": 900,
                "expire": 1800,
                "minimum": 60
              }
            }
          ]
        }
      },
      {
        "timestamp": "2026-04-16T22:58:57.950253+0000",
        "flow_id": 355289657069283,
        "pcap_cnt": 468,
        "event_type": "dns",
        "src_ip": "192.168.1.100",
        "src_port": 53882,
        "dest_ip": "8.8.8.8",
        "dest_port": 53,
        "proto": "UDP",
        "pkt_src": "wire/pcap",
        "dns": {
          "version": 2,
          "type": "answer",
          "id": 51226,
          "flags": "8180",
          "qr": true,
          "rd": true,
          "ra": true,
          "opcode": 0,
          "rrname": "i.pki.goog",
          "rrtype": "A",
          "rcode": "NOERROR",
          "answers": [
            {
              "rrname": "i.pki.goog",
              "rrtype": "CNAME",
              "ttl": 282,
              "rdata": "pki-goog.l.google.com"
            },
            {
              "rrname": "pki-goog.l.google.com",
              "rrtype": "A",
              "ttl": 300,
              "rdata": "173.194.73.94"
            }
          ],
          "grouped": {
            "A": [
              "173.194.73.94"
            ],
            "CNAME": [
              "pki-goog.l.google.com"
            ]
          }
        }
      },
      {
        "timestamp": "2026-04-16T22:59:44.011519+0000",
        "flow_id": 49475341019647,
        "pcap_cnt": 2147,
        "event_type": "dns",
        "src_ip": "192.168.1.100",
        "src_port": 55278,
        "dest_ip": "8.8.8.8",
        "dest_port": 53,
        "proto": "UDP",
        "pkt_src": "wire/pcap",
        "dns": {
          "version": 2,
          "type": "query",
          "id": 57095,
          "rrname": "dns.google",
          "rrtype": "A",
          "tx_id": 0,
          "opcode": 0
        }
      },
      {
        "timestamp": "2026-04-16T22:59:44.032062+0000",
        "flow_id": 49475341019647,
        "pcap_cnt": 2155,
        "event_type": "dns",
        "src_ip": "192.168.1.100",
        "src_port": 55278,
        "dest_ip": "8.8.8.8",
        "dest_port": 53,
        "proto": "UDP",
        "pkt_src": "wire/pcap",
        "dns": {
          "version": 2,
          "type": "answer",
          "id": 57095,
          "flags": "8180",
          "qr": true,
          "rd": true,
          "ra": true,
          "opcode": 0,
          "rrname": "dns.google",
          "rrtype": "A",
          "rcode": "NOERROR",
          "answers": [
            {
              "rrname": "dns.google",
              "rrtype": "A",
              "ttl": 651,
              "rdata": "8.8.8.8"
            },
            {
              "rrname": "dns.google",
              "rrtype": "A",
              "ttl": 651,
              "rdata": "8.8.4.4"
            }
          ],
          "grouped": {
            "A": [
              "8.8.8.8",
              "8.8.4.4"
            ]
          }
        }
      },
      {
        "timestamp": "2026-04-16T22:59:44.011263+0000",
        "flow_id": 48376838833382,
        "pcap_cnt": 2146,
        "event_type": "dns",
        "src_ip": "192.168.1.100",
        "src_port": 58635,
        "dest_ip": "8.8.8.8",
        "dest_port": 53,
        "proto": "UDP",
        "pkt_src": "wire/pcap",
        "dns": {
          "version": 2,
          "type": "query",
          "id": 63009,
          "rrname": "dns.google",
          "rrtype": "HTTPS",
          "tx_id": 0,
          "opcode": 0
        }
      },
      {
        "timestamp": "2026-04-16T22:59:44.031732+0000",
        "flow_id": 48376838833382,
        "pcap_cnt": 2152,
        "event_type": "dns",
        "src_ip": "192.168.1.100",
        "src_port": 58635,
        "dest_ip": "8.8.8.8",
        "dest_port": 53,
        "proto": "UDP",
        "pkt_src": "wire/pcap",
        "dns": {
          "version": 2,
          "type": "answer",
          "id": 63009,
          "flags": "8180",
          "qr": true,
          "rd": true,
          "ra": true,
          "opcode": 0,
          "rrname": "dns.google",
          "rrtype": "HTTPS",
          "rcode": "NOERROR",
          "authorities": [
            {
              "rrname": "dns.google",
              "rrtype": "SOA",
              "ttl": 169,
              "soa": {
                "mname": "ns1.zdns.google",
                "rname": "cloud-dns-hostmaster.google.com",
                "serial": 1,
                "refresh": 21600,
                "retry": 3600,
                "expire": 259200,
                "minimum": 300
              }
            }
          ]
        }
      }
    ],
    "ssh": [],
    "fileinfo": [],
    "eve_log_full_path": "/opt/CAPEv2/storage/analyses/42/logs/eve.json",
    "alert_log_full_path": null,
    "tls_log_full_path": null,
    "http_log_full_path": null,
    "file_log_full_path": null,
    "ssh_log_full_path": null,
    "dns_log_full_path": null
  },
  "url_analysis": {},
  "procmemory": [],
  "signatures": [
    {
      "name": "queries_computer_name",
      "description": "Queries computer hostname",
      "categories": [
        "system_discovery"
      ],
      "severity": 1,
      "weight": 1,
      "confidence": 100,
      "references": [],
      "data": [
        {
          "type": "call",
          "pid": 7684,
          "cid": 2105
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "queries_keyboard_layout",
      "description": "Queries the keyboard layout",
      "categories": [
        "location_discovery"
      ],
      "severity": 1,
      "weight": 1,
      "confidence": 100,
      "references": [],
      "data": [
        {
          "type": "call",
          "pid": 7684,
          "cid": 7561
        },
        {
          "type": "call",
          "pid": 7684,
          "cid": 7580
        },
        {
          "type": "call",
          "pid": 7684,
          "cid": 7607
        },
        {
          "type": "call",
          "pid": 7684,
          "cid": 7676
        },
        {
          "type": "call",
          "pid": 7684,
          "cid": 7680
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 4357
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "queries_locale_api",
      "description": "Queries the computer locale (possible geofencing)",
      "categories": [
        "location_discovery",
        "geofence"
      ],
      "severity": 1,
      "weight": 1,
      "confidence": 100,
      "references": [],
      "data": [
        {
          "type": "call",
          "pid": 7684,
          "cid": 744
        },
        {
          "type": "call",
          "pid": 7684,
          "cid": 1709
        },
        {
          "type": "call",
          "pid": 7684,
          "cid": 7465
        },
        {
          "type": "call",
          "pid": 7684,
          "cid": 7825
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 487
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "antidebug_setunhandledexceptionfilter",
      "description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
      "categories": [
        "anti-debug"
      ],
      "severity": 1,
      "weight": 1,
      "confidence": 40,
      "references": [],
      "data": [
        {
          "type": "call",
          "pid": 7684,
          "cid": 370
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "exec_crash",
      "description": "At least one process apparently crashed during execution",
      "categories": [
        "execution"
      ],
      "severity": 1,
      "weight": 1,
      "confidence": 100,
      "references": [],
      "data": [
        {
          "type": "call",
          "pid": 3832,
          "cid": 4239
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "language_check_registry",
      "description": "Checks system language via registry key (possible geofencing)",
      "categories": [
        "location_discovery",
        "geofence"
      ],
      "severity": 1,
      "weight": 1,
      "confidence": 100,
      "references": [],
      "data": [
        {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US"
        },
        {
          "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "encrypted_ioc",
      "description": "At least one IP Address, Domain, or File Name was found in a crypto call",
      "categories": [
        "encryption"
      ],
      "severity": 2,
      "weight": 0,
      "confidence": 100,
      "references": [],
      "data": [
        {
          "type": "call",
          "pid": 3832,
          "cid": 373
        },
        {
          "ioc": "x00.text"
        },
        {
          "ioc": "xc0.rsrc"
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "createtoolhelp32snapshot_module_enumeration",
      "description": "Enumerates the modules from a process (may be used to locate base addresses in process injection)",
      "categories": [
        "discovery"
      ],
      "severity": 2,
      "weight": 1,
      "confidence": 100,
      "references": [],
      "data": [
        {
          "type": "call",
          "pid": 3832,
          "cid": 1739
        },
        {
          "module": "pid 7684 module ntdll.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1745
        },
        {
          "module": "pid 7684 module MSCOREE.DLL"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1751
        },
        {
          "module": "pid 7684 module KERNEL32.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1758
        },
        {
          "module": "pid 7684 module KERNELBASE.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1766
        },
        {
          "module": "pid 7684 module apphelp.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1775
        },
        {
          "module": "pid 7684 module CRYPT32.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1785
        },
        {
          "module": "pid 7684 module ucrtbase.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1796
        },
        {
          "module": "pid 7684 module WS2_32.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1808
        },
        {
          "module": "pid 7684 module RPCRT4.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1821
        },
        {
          "module": "pid 7684 module USER32.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1835
        },
        {
          "module": "pid 7684 module win32u.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1850
        },
        {
          "module": "pid 7684 module GDI32.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1866
        },
        {
          "module": "pid 7684 module gdi32full.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1883
        },
        {
          "module": "pid 7684 module msvcp_win.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1901
        },
        {
          "module": "pid 7684 module ADVAPI32.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1920
        },
        {
          "module": "pid 7684 module msvcrt.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1940
        },
        {
          "module": "pid 7684 module sechost.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1961
        },
        {
          "module": "pid 7684 module ole32.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 1983
        },
        {
          "module": "pid 7684 module combase.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2006
        },
        {
          "module": "pid 7684 module OLEAUT32.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2010
        },
        {
          "module": "pid 7684 module SHLWAPI.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2011
        },
        {
          "module": "pid 7684 module bcrypt.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2012
        },
        {
          "module": "pid 7684 module IMM32.DLL"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2013
        },
        {
          "module": "pid 7684 module CRYPTBASE.DLL"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2014
        },
        {
          "module": "pid 7684 module SspiCli.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2015
        },
        {
          "module": "pid 7684 module mscoreei.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2016
        },
        {
          "module": "pid 7684 module kernel.appcore.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2017
        },
        {
          "module": "pid 7684 module VERSION.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2018
        },
        {
          "module": "pid 7684 module mscorwks.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2019
        },
        {
          "module": "pid 7684 module MSVCR80.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2020
        },
        {
          "module": "pid 7684 module shell32.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2021
        },
        {
          "module": "pid 7684 module windows.storage.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2022
        },
        {
          "module": "pid 7684 module Wldp.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2023
        },
        {
          "module": "pid 7684 module SHCORE.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2024
        },
        {
          "module": "pid 7684 module profapi.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2025
        },
        {
          "module": "pid 7684 module mscorlib.ni.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2026
        },
        {
          "module": "pid 7684 module bcryptPrimitives.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2027
        },
        {
          "module": "pid 7684 module uxtheme.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2028
        },
        {
          "module": "pid 7684 module mscorjit.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2029
        },
        {
          "module": "pid 7684 module System.ni.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2030
        },
        {
          "module": "pid 7684 module psapi.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2031
        },
        {
          "module": "pid 7684 module Microsoft.VisualBasic.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2032
        },
        {
          "module": "pid 7684 module System.Drawing.ni.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2033
        },
        {
          "module": "pid 7684 module System.Windows.Forms.ni.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2034
        },
        {
          "module": "pid 7684 module System.Runtime.Remoting.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2035
        },
        {
          "module": "pid 7684 module mswsock.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2036
        },
        {
          "module": "pid 7684 module System.Configuration.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2037
        },
        {
          "module": "pid 7684 module System.Xml.ni.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2038
        },
        {
          "module": "pid 7684 module CRYPTSP.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2039
        },
        {
          "module": "pid 7684 module rsaenh.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2040
        },
        {
          "module": "pid 7684 module MSCTF.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2041
        },
        {
          "module": "pid 7684 module gdiplus.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2042
        },
        {
          "module": "pid 7684 module DWrite.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2043
        },
        {
          "module": "pid 7684 module WindowsCodecs.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2044
        },
        {
          "module": "pid 7684 module comctl32.dll"
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 2045
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "reads_self",
      "description": "Reads data out of its own binary image",
      "categories": [
        "generic"
      ],
      "severity": 2,
      "weight": 1,
      "confidence": 30,
      "references": [],
      "data": [
        {
          "self_read": "process: NanoCore.exe, pid: 7684, offset: 0x00000000, length: 0x00160400"
        },
        {
          "self_read": "process: NanoCore.exe, pid: 7684, offset: 0x3030785c3030785c, length: 0x00001000"
        },
        {
          "self_read": "process: NanoCore.exe, pid: 7684, offset: 0x3030785c3038785c, length: 0x00000200"
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "network_cnc_http",
      "description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
      "categories": [
        "network",
        "c2"
      ],
      "severity": 2,
      "weight": 1,
      "confidence": 30,
      "references": [],
      "data": [
        {
          "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
        },
        {
          "suspicious_request": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com"
        },
        {
          "suspicious_request": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776985227&P2=404&P3=2&P4=UxgJUowjr4phFiUS5t89jUhtvfAuYf6yxZub69HKqd%2f3h4jqkO0Q65wK2fDni1fAsXfD6h%2fPAaRN0I%2beJzwojQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "network_http",
      "description": "Performs some HTTP requests",
      "categories": [
        "network"
      ],
      "severity": 2,
      "weight": 1,
      "confidence": 30,
      "references": [],
      "data": [
        {
          "url": "http://i.pki.goog/gsr1.crt"
        },
        {
          "url": "http://i.pki.goog/r4.crt"
        },
        {
          "url": "http://i.pki.goog/we2.crt"
        },
        {
          "url": "http://i.pki.goog/gsr4.crt"
        },
        {
          "url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com"
        },
        {
          "url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776985227&P2=404&P3=2&P4=UxgJUowjr4phFiUS5t89jUhtvfAuYf6yxZub69HKqd%2f3h4jqkO0Q65wK2fDni1fAsXfD6h%2fPAaRN0I%2beJzwojQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "packer_unknown_pe_section_name",
      "description": "The binary contains an unknown PE section name indicative of packing",
      "categories": [
        "packer"
      ],
      "severity": 2,
      "weight": 1,
      "confidence": 100,
      "references": [],
      "data": [
        {
          "unknown section": {
            "name": ".sdata",
            "raw_address": "0x0015b600",
            "virtual_address": "0x0015e000",
            "virtual_size": "0x000001e8",
            "size_of_data": "0x00000200",
            "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
            "characteristics_raw": "0xc0000040",
            "entropy": "6.61"
          }
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "packer_entropy",
      "description": "The binary likely contains encrypted or compressed data",
      "categories": [
        "packer"
      ],
      "severity": 2,
      "weight": 1,
      "confidence": 100,
      "references": [
        "http://www.forensickb.com/2013/03/file-entropy-explained.html",
        "http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
      ],
      "data": [
        {
          "section": {
            "name": ".text",
            "raw_address": "0x00000400",
            "virtual_address": "0x00002000",
            "virtual_size": "0x0015b0d4",
            "size_of_data": "0x0015b200",
            "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
            "characteristics_raw": "0x60000020",
            "entropy": "7.47"
          }
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "injection_rwx",
      "description": "Creates RWX memory",
      "categories": [
        "injection"
      ],
      "severity": 2,
      "weight": 1,
      "confidence": 50,
      "references": [],
      "data": [
        {
          "type": "call",
          "pid": 7684,
          "cid": 239
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "antivm_generic_system",
      "description": "Checks the system manufacturer, likely for anti-virtualization",
      "categories": [
        "anti-vm"
      ],
      "severity": 3,
      "weight": 1,
      "confidence": 100,
      "references": [],
      "data": [],
      "new_data": [
        {
          "process": {
            "process_name": "dw20.exe",
            "process_id": 3832
          },
          "signs": [
            {
              "type": "registry",
              "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer"
            }
          ]
        },
        {
          "process": {
            "process_name": "dw20.exe",
            "process_id": 3832
          },
          "signs": [
            {
              "type": "registry",
              "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer"
            }
          ]
        },
        {
          "process": {
            "process_name": "dw20.exe",
            "process_id": 3832
          },
          "signs": [
            {
              "type": "registry",
              "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer"
            }
          ]
        },
        {
          "process": {
            "process_name": "dw20.exe",
            "process_id": 3832
          },
          "signs": [
            {
              "type": "registry",
              "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer"
            }
          ]
        }
      ],
      "alert": false,
      "families": []
    },
    {
      "name": "suspicious_iocontrol_codes",
      "description": "Uses suspicious IO control codes, indicative of a bootkit or wiper",
      "categories": [
        "bootkit",
        "rootkit",
        "wiper"
      ],
      "severity": 3,
      "weight": 4,
      "confidence": 100,
      "references": [],
      "data": [
        {
          "type": "call",
          "pid": 3832,
          "cid": 399
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 402
        },
        {
          "type": "call",
          "pid": 3832,
          "cid": 403
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "network_bind",
      "description": "Starts servers listening on 127.0.0.1:0",
      "categories": [
        "network"
      ],
      "severity": 3,
      "weight": 1,
      "confidence": 100,
      "references": [],
      "data": [
        {
          "type": "call",
          "pid": 7684,
          "cid": 2279
        },
        {
          "type": "call",
          "pid": 7684,
          "cid": 2281
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "binary_yara",
      "description": "Binary file triggered multiple YARA rules",
      "categories": [
        "static"
      ],
      "severity": 3,
      "weight": 1,
      "confidence": 80,
      "references": [],
      "data": [
        {
          "Binary triggered YARA rule": "COD3NYM_SUSP_OBF_NET_Reactor_Indicators_Jan24"
        },
        {
          "Binary triggered YARA rule": "DITEKSHEN_MALWARE_Win_Nanocore"
        },
        {
          "Binary triggered YARA rule": "Windows_Trojan_Nanocore_d8c4e3c5"
        },
        {
          "Binary triggered YARA rule": "IsPE32"
        },
        {
          "Binary triggered YARA rule": "IsNET_EXE"
        },
        {
          "Binary triggered YARA rule": "IsWindowsGUI"
        },
        {
          "Binary triggered YARA rule": "IsPacked"
        },
        {
          "Binary triggered YARA rule": "Microsoft_Visual_Studio_NET"
        },
        {
          "Binary triggered YARA rule": "Microsoft_Visual_C_v70_Basic_NET_additional"
        },
        {
          "Binary triggered YARA rule": "Microsoft_Visual_C_Basic_NET"
        },
        {
          "Binary triggered YARA rule": "Microsoft_Visual_Studio_NET_additional"
        },
        {
          "Binary triggered YARA rule": "Microsoft_Visual_C_v70_Basic_NET"
        },
        {
          "Binary triggered YARA rule": "NET_executable_"
        },
        {
          "Binary triggered YARA rule": "NET_executable"
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "network_questionable_http_path",
      "description": "Makes a suspicious HTTP request to a commonly exploitable directory with questionable file ext",
      "categories": [
        "network"
      ],
      "severity": 3,
      "weight": 1,
      "confidence": 100,
      "references": [],
      "data": [
        {
          "url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com"
        },
        {
          "url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776985227&P2=404&P3=2&P4=UxgJUowjr4phFiUS5t89jUhtvfAuYf6yxZub69HKqd%2f3h4jqkO0Q65wK2fDni1fAsXfD6h%2fPAaRN0I%2beJzwojQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"
        },
        {
          "url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776985227&P2=404&P3=2&P4=UxgJUowjr4phFiUS5t89jUhtvfAuYf6yxZub69HKqd%2f3h4jqkO0Q65wK2fDni1fAsXfD6h%2fPAaRN0I%2beJzwojQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"
        },
        {
          "url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776985227&P2=404&P3=2&P4=UxgJUowjr4phFiUS5t89jUhtvfAuYf6yxZub69HKqd%2f3h4jqkO0Q65wK2fDni1fAsXfD6h%2fPAaRN0I%2beJzwojQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "procmem_yara",
      "description": "Yara detections observed in process dumps, payloads or dropped files",
      "categories": [
        "malware"
      ],
      "severity": 3,
      "weight": 4,
      "confidence": 100,
      "references": [],
      "data": [
        {
          "Hit": "PID 3832 triggered the Yara rule 'IsPE32' with data '[]'"
        },
        {
          "Hit": "PID 3832 triggered the Yara rule 'IsWindowsGUI' with data '[]'"
        },
        {
          "Hit": "PID 3832 triggered the Yara rule 'HasDebugData' with data '[]'"
        },
        {
          "Hit": "PID 3832 triggered the Yara rule 'HasRichSignature' with data '['Rich']'"
        },
        {
          "Hit": "PID 3832 triggered the Yara rule 'Visual_Cpp_2005_Release_Microsoft' with data '['{ E8 84 06 00 00 E9 A2 FD FF FF }']'"
        },
        {
          "Hit": "PID 3832 triggered the Yara rule 'VC8_Microsoft_Corporation' with data '['{ E8 84 06 00 00 E9 A2 FD FF FF }', '{ E8 FB FE FF FF E9 DD FF FF FF }', '{ E8 EC FE FF FF E9 CE FF FF FF }']'"
        },
        {
          "Hit": "PID 3832 triggered the Yara rule 'Microsoft_Visual_Cpp_8' with data '['\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00', '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00', '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00', '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00', '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00', '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00', '{ 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 1A A6 DC 9E 1A A6 DC 9E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }', '{ 00 00 00 00 00 00 02 00 00 00 00 00 00 00 1A A6 DC 9E 1A A6 DC 9E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }', '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00', '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00', '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00', '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x06\\x00\\x00', '{ E8 84 06 00 00 E9 A2 FD FF FF }']'"
        },
        {
          "Hit": "PID 7684 triggered the Yara rule 'IsPE32' with data '[]'"
        },
        {
          "Hit": "PID 7684 triggered the Yara rule 'IsWindowsGUI' with data '[]'"
        },
        {
          "Hit": "PID 7684 triggered the Yara rule 'IsBeyondImageSize' with data '[]'"
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    },
    {
      "name": "antivm_generic_disk",
      "description": "Queries information on disks, possibly for anti-virtualization",
      "categories": [
        "anti-vm"
      ],
      "severity": 3,
      "weight": 1,
      "confidence": 100,
      "references": [],
      "data": [
        {
          "type": "call",
          "pid": 3832,
          "cid": 402
        }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    }
  ],
  "malscore": 9.0,
  "ttps": [
    {
      "signature": "antivm_generic_system",
      "ttps": [
        "T1012",
        "T1057",
        "T1082",
        "T1497"
      ],
      "mbcs": [
        "OB0001",
        "B0009",
        "B0009.005",
        "OB0007",
        "E1082",
        "OC0008",
        "C0036",
        "C0036.005"
      ]
    },
    {
      "signature": "suspicious_iocontrol_codes",
      "ttps": [
        "T1542.003"
      ],
      "mbcs": [
        "OC0006",
        "C0002",
        "OC0006",
        "C0002"
      ]
    },
    {
      "signature": "encrypted_ioc",
      "ttps": [
        "T1071"
      ],
      "mbcs": [
        "OC0006",
        "C0002",
        "OC0006",
        "C0002"
      ]
    },
    {
      "signature": "network_bind",
      "ttps": [
        "T1071"
      ],
      "mbcs": [
        "OB0004",
        "B0030",
        "OC0006",
        "C0001"
      ]
    },
    {
      "signature": "createtoolhelp32snapshot_module_enumeration",
      "ttps": [
        "T1057"
      ],
      "mbcs": [
        "OB0007"
      ]
    },
    {
      "signature": "reads_self",
      "ttps": [
        "T1071"
      ],
      "mbcs": [
        "OC0001",
        "C0051"
      ]
    },
    {
      "signature": "binary_yara",
      "ttps": [
        "T1071"
      ],
      "mbcs": [
        "OC0006",
        "C0002",
        "OC0006",
        "C0002"
      ]
    },
    {
      "signature": "network_cnc_http",
      "ttps": [
        "T1071"
      ],
      "mbcs": [
        "OB0004",
        "B0033",
        "OC0006",
        "C0002"
      ]
    },
    {
      "signature": "network_http",
      "ttps": [
        "T1071"
      ],
      "mbcs": [
        "OC0006",
        "C0002"
      ]
    },
    {
      "signature": "network_questionable_http_path",
      "ttps": [
        "T1071"
      ],
      "mbcs": [
        "OC0006",
        "C0002",
        "OC0006",
        "C0002"
      ]
    },
    {
      "signature": "packer_unknown_pe_section_name",
      "ttps": [
        "T1027.002",
        "T1027"
      ],
      "mbcs": [
        "OB0001",
        "OB0002",
        "OB0006",
        "F0001"
      ]
    },
    {
      "signature": "packer_entropy",
      "ttps": [
        "T1027.002",
        "T1027"
      ],
      "mbcs": [
        "OB0001",
        "OB0002",
        "OB0006",
        "F0001"
      ]
    },
    {
      "signature": "procmem_yara",
      "ttps": [
        "T1071"
      ],
      "mbcs": [
        "OC0006",
        "C0002",
        "OC0006",
        "C0002"
      ]
    }
  ],
  "malstatus": "Malicious"
}